QuickLens - Search Screen with Google Lens hit by network compromise
Incident
Summary
Hide ▲
Show ▼
The QuickLens - Search Screen with Google Lens Chrome extension was compromised and used to push malware to about 7,000 users, creating risk of credential theft and wallet theft. The malicious version 5.8 update landed on February 17, 2026 and the extension was later removed from the Chrome Web Store. Google also disabled the extension for affected users.
Related Happenings
Google overhauls Android and Chrome bug bounty programs
Commercial Activity
First: 05.05.2026 14:24
Last: 05.05.2026 14:24
Sources 1
About this happening:
**Google** overhauls its **Android and Chrome** vulnerability rewards programs, reshaping payout tiers for **exploit research** and raising top rewards to **$1.5 million**. The ch...
Google overhauls Android and Chrome bug bounty programs
Commercial ActivityAbout this happening: **Google** overhauls its **Android and Chrome** vulnerability rewards programs, reshaping payout tiers for **exploit research** and raising top rewards to **$1.5 million**. The ch...
Chrome Web Store malicious extensions coordinated campaign using shared C2
Campaign
First: 14.04.2026 23:33
Last: 14.04.2026 23:33
Sources 1
About this happening:
A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
Chrome Web Store malicious extensions coordinated campaign using shared C2
CampaignAbout this happening: A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
108 Malicious Chrome extension campaign
Campaign
First: 14.04.2026 14:30
Last: 14.04.2026 14:30
Sources 1
About this happening:
A **large-scale campaign** of **108 malicious Chrome extensions** exposed roughly **20,000 users** to **session hijacking** and data theft through a shared **C2 infrastructure**.
108 Malicious Chrome extension campaign
CampaignAbout this happening: A **large-scale campaign** of **108 malicious Chrome extensions** exposed roughly **20,000 users** to **session hijacking** and data theft through a shared **C2 infrastructure**.
108 Malicious Google Chrome extensions sharing a C2 backend
Malware Activity
First: 14.04.2026 11:35
Last: 14.04.2026 11:35
Sources 1
About this happening:
**108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware ActivityAbout this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
Google security patch release for CVE-2026-5858
Security Patch Release
First: 10.04.2026 13:44
Last: 10.04.2026 13:44
Sources 1
About this happening:
**Google** released the first stable **Chrome 147** build, closing **60 vulnerabilities** and raising the browser’s baseline security ahead of broader deployment. The patch bundle...
Google security patch release for CVE-2026-5858
Security Patch ReleaseAbout this happening: **Google** released the first stable **Chrome 147** build, closing **60 vulnerabilities** and raising the browser’s baseline security ahead of broader deployment. The patch bundle...
Timeline
-
28.02.2026 21:18 1 articles · 2mo ago
QuickLens ownership shifts to LLC Quick Lens
Campaign Scope UpdateQuickLens - Search Screen with Google Lens changed ownership to [email protected] under LLC Quick Lens, and a new privacy policy appeared on a barely functional domain.
Show sources
- QuickLens Chrome extension steals crypto, shows ClickFix attack — www.bleepingcomputer.com — 28.02.2026 21:18
-
28.02.2026 21:18 2 articles · 2mo ago
QuickLens version 5.8 adds malicious ClickFix and theft payloads
Technical Analysis UpdateOn February 17, 2026, version 5.8 of QuickLens - Search Screen with Google Lens was released with malicious scripts that introduced ClickFix prompts and info-stealing behavior, requested declarativeNetRequestWithHostAccess and webRequest, stripped CSP, X-Frame-Options, and X-XSS-Protection, polled api.extensionanalyticspro[.]top for instructions, and delivered payloads that targeted crypto wallets, credentials, Gmail inbox contents, Facebook Business Manager data, and YouTube channel information.
Show sources
- QuickLens Chrome extension steals crypto, shows ClickFix attack — www.bleepingcomputer.com — 28.02.2026 21:18
- Chrome Extension Turns Malicious After Ownership Transfer, Enabling Code Injection and Data Theft — thehackernews.com — 09.03.2026 12:28
-
28.02.2026 21:18 1 articles · 2mo ago
QuickLens compromise becomes public and the extension is removed
Initial DisclosurePublic reporting on February 28, 2026 highlighted fake Google Update alerts on visited pages, and Google removed QuickLens - Search Screen with Google Lens from the Chrome Web Store so Chrome automatically disabled it for affected users.
Show sources
- QuickLens Chrome extension steals crypto, shows ClickFix attack — www.bleepingcomputer.com — 28.02.2026 21:18