QuickLens and ShotBird malicious Chrome extension update chain
Malware Activity
Summary
Hide ▲
Show ▼
The QuickLens and ShotBird Chrome extensions have become malicious after ownership transfer, turning trusted add-ons into a delivery path for code injection and data theft. Their payloads used C2-delivered JavaScript and a hidden browser execution path, while ShotBird also pushed a fake Chrome update lure that led Windows users to launch googleupdate.exe. The result is credential capture, browser-data siphoning, and host-level script execution on affected systems.
Related Happenings
Silent Swap browser-extension clipboard clipper
Malware Activity
H score36
First: 30.06.2026 18:40
Last: 30.06.2026 18:40
Sources 1
About this happening:
The **Silent Swap** malware activity now **installs malicious Chromium extensions** that intercept copied wallet addresses and **reroute cryptocurrency transfers** to attacker-con...
Silent Swap browser-extension clipboard clipper
Malware ActivityAbout this happening: The **Silent Swap** malware activity now **installs malicious Chromium extensions** that intercept copied wallet addresses and **reroute cryptocurrency transfers** to attacker-con...
Search for perplexity ai malicious Chrome extension
Malware Activity
H score29
First: 29.06.2026 21:40
Last: 29.06.2026 21:40
Sources 1
About this happening:
A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...
Search for perplexity ai malicious Chrome extension
Malware ActivityAbout this happening: A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...
Dormant remote-controlled JavaScript injection path in Adblock for YouTube Chrome extension
Technical Analysis
H score23
First: 25.06.2026 17:12
Last: 25.06.2026 17:12
Sources 1
About this happening:
A **Chrome extension** with **10 million+ installs** was found to carry a **dormant script-injection path**, raising the risk of **arbitrary JavaScript execution** across visited...
Dormant remote-controlled JavaScript injection path in Adblock for YouTube Chrome extension
Technical AnalysisAbout this happening: A **Chrome extension** with **10 million+ installs** was found to carry a **dormant script-injection path**, raising the risk of **arbitrary JavaScript execution** across visited...
BrowserOS WebPromptTrap patch release (0.32.0)
Security Patch Release
H score11
First: 29.05.2026 21:07
Last: 29.05.2026 21:07
Sources 1
About this happening:
**BrowserOS** patched **WebPromptTrap** in **version 0.32.0**, closing an indirect prompt-injection flaw that could trick users into approving an **authorization step** inside the...
BrowserOS WebPromptTrap patch release (0.32.0)
Security Patch ReleaseAbout this happening: **BrowserOS** patched **WebPromptTrap** in **version 0.32.0**, closing an indirect prompt-injection flaw that could trick users into approving an **authorization step** inside the...
Chromium JavaScript background RCE flaw
Vulnerability
H score16
First: 21.05.2026 21:13
Last: 21.05.2026 21:13
Sources 1
About this happening:
The unfixed **Chromium** flaw keeps **JavaScript** running after the browser is closed, creating **remote code execution** risk across **Chromium-based browsers**. A malicious sit...
Chromium JavaScript background RCE flaw
VulnerabilityAbout this happening: The unfixed **Chromium** flaw keeps **JavaScript** running after the browser is closed, creating **remote code execution** risk across **Chromium-based browsers**. A malicious sit...
Timeline
-
09.03.2026 12:28 1 articles · 4mo ago
QuickLens listed for sale
Campaign Scope UpdateQuickLens is listed for sale on ExtensionHub by [email protected], creating an early supply-chain transfer point for the Chrome extension later implicated in malicious updates.
Show sources
- Chrome Extension Turns Malicious After Ownership Transfer, Enabling Code Injection and Data Theft — thehackernews.com — 09.03.2026 12:28
-
09.03.2026 12:28 1 articles · 4mo ago
QuickLens owner transfer
Campaign Scope UpdateThe QuickLens Chrome Web Store listing changes owner to [email protected], aligning the extension with a new account before the later malicious payload update.
Show sources
- Chrome Extension Turns Malicious After Ownership Transfer, Enabling Code Injection and Data Theft — thehackernews.com — 09.03.2026 12:28
-
09.03.2026 12:28 1 articles · 4mo ago
QuickLens malicious update
Technical Analysis UpdateQuickLens receives a malicious update that keeps the original functionality but strips security headers such as X-Frame-Options from HTTP responses, bypasses CSP, fingerprints the user environment, polls a C2 every five minutes, stores delivered JavaScript in browser local storage, and executes it at page load through a hidden 1×1 GIF <img> onload handler.
Show sources
- Chrome Extension Turns Malicious After Ownership Transfer, Enabling Code Injection and Data Theft — thehackernews.com — 09.03.2026 12:28
-
09.03.2026 12:28 2 articles · 4mo ago
QuickLens and ShotBird disclosure
Initial DisclosureResearchers publicly describe QuickLens and ShotBird as malicious Chrome extensions after ownership transfer, highlighting C2-delivered JavaScript, ClickFix-style fake Chrome update lures, browser-data capture, and host-side script execution via googleupdate.exe on Windows hosts.
Show sources
- Chrome Extension Turns Malicious After Ownership Transfer, Enabling Code Injection and Data Theft — thehackernews.com — 09.03.2026 12:28
- Chrome Extension Turns Malicious After Ownership Transfer, Enabling Code Injection and Data Theft — thehackernews.com — 09.03.2026 12:28