Chrome Extension Turns Malicious After Ownership Transfer, Enabling Code Injection and Data Theft

2026-03-09

1 min read

by info@thehackernews.com (The Hacker News)

Read Original

Get the latest tech trends every morning

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Endigest AI Core Summary

This article reports on Chrome extensions that turned malicious following ownership transfers, enabling code injection, data theft, and host-level compromise.

•QuickLens and ShotBird extensions changed hands to new developers who pushed weaponized updates to existing users without triggering re-review.
•QuickLens strips X-Frame-Options and CSP headers from HTTP responses, polls a C2 server every 5 minutes for JavaScript payloads stored in local storage, and executes them via a hidden 1x1 GIF image onload attribute to avoid static detection.
•ShotBird delivers a ClickFix-style fake Chrome update prompt that opens cmd.exe via the Windows Run dialog, downloads "googleupdate.exe", and hooks input/textarea/select elements to capture credentials, PINs, card numbers, and tokens.
•Additional malicious extensions flagged include lmToken Chromophore (cryptocurrency seed phrase phishing), Chrome MCP Server (full RAT using Model Context Protocol), Urban VPN/Browser Guard/Ad Blocker (AI chat sc

Chrome Extension Turns Malicious After Ownership Transfer, Enabling Code Injection and Data Theft

Get the latest tech trends every morning

Endigest AI Core Summary

Related Articles

China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture