A compromised Google Chrome extension named “QuickLens – Search Screen with Google Lens” has been removed from the Chrome Web Store after it was weaponized to deliver malware, conduct cryptocurrency theft, and execute ClickFix-style social engineering attacks against thousands of users.
The incident highlights a growing trend in supply-chain abuse targeting browser extensions — trusted tools that, once compromised, provide attackers with direct access to user sessions, credentials, and sensitive browser data.
From Legitimate Tool to Malware Distribution Channel
QuickLens was originally published as a productivity extension allowing users to perform Google Lens searches directly from their browser. At its peak, the extension had approximately 7,000 users and had even received a featured badge from Google — indicating prior legitimacy.
However, on February 17, 2026, version 5.8 was released with malicious modifications. According to research by Annex Security, the extension had recently changed ownership after being listed for sale on an extension marketplace. Ownership was transferred to an entity using the email [email protected] under “LLC Quick Lens,” accompanied by a questionable privacy policy hosted on a minimally functional domain.
Just over two weeks after the ownership change, the malicious update was pushed to users.
Dangerous Permission Escalation and Security Header Stripping
Version 5.8 requested additional high-risk browser permissions, including:
declarativeNetRequestWithHostAccesswebRequest
These permissions allowed the extension to modify network traffic. More critically, it included a rules.json configuration that stripped essential browser security headers from all visited websites, including:
- Content-Security-Policy (CSP)
- X-Frame-Options
- X-XSS-Protection
By removing CSP protections, the extension effectively neutralized one of the primary defenses against cross-site scripting (XSS) and malicious script injection. This enabled arbitrary JavaScript execution on virtually any webpage.
Command-and-Control Infrastructure and Persistent Tracking
The compromised extension communicated with a command-and-control (C2) server at api.extensionanalyticspro[.]top. Upon installation, it generated a persistent UUID, fingerprinted the user’s country via Cloudflare’s trace endpoint, identified the browser and operating system, and then polled the C2 server every five minutes for updated instructions.
Researchers observed that the extension fetched malicious JavaScript payloads and executed them on every page load using what Annex described as a “1×1 GIF pixel onload trick.” Because CSP headers were stripped, these injected scripts executed even on websites that would normally block inline code.
ClickFix Social Engineering and Windows Malware Delivery
One of the primary payloads retrieved from attacker infrastructure displayed fake Google Update prompts via google-update[.]icu. Users who clicked the “update” button were subjected to a ClickFix-style attack instructing them to execute commands locally.
On Windows systems, this resulted in the download of a malicious executable named googleupdate.exe, signed with a certificate from “Hubei Da’e Zhidao Food Technology Co., Ltd.” Once executed, the binary launched a hidden PowerShell command that initiated a secondary PowerShell session.
The script connected to a remote endpoint using a custom “Katzilla” user agent, retrieved additional payloads, and executed them via Invoke-Expression. At the time of analysis, the second-stage infrastructure was no longer serving malicious content, suggesting active takedown or operational shutdown.
Cryptocurrency Wallet Theft and Credential Harvesting
Beyond malware deployment, the extension delivered separate JavaScript agents designed for credential and crypto asset theft. It actively scanned for installed wallet extensions, including:
- MetaMask
- Coinbase
- Trust Wallet
- Binance
- Exodus
If detected, the malware attempted to extract wallet activity, seed phrases, and authentication data — effectively enabling full wallet takeover.
Additional scripts harvested login credentials, payment card data, and sensitive form inputs. Some payloads scraped Gmail inbox content, extracted Facebook Business Manager advertising data, and collected YouTube channel metadata, expanding the threat beyond financial theft into account hijacking and digital asset compromise.
There are also claims that macOS users were targeted with AMOS (Atomic Stealer), though independent verification remains limited.
Chrome Web Store Removal and Risk Mitigation
Google has removed the QuickLens extension from the Chrome Web Store, and affected installations are now automatically disabled in Chrome. However, removal of the extension alone does not eliminate residual risk.
Users who installed QuickLens should:
- Confirm full extension removal
- Perform a comprehensive malware scan
- Reset all browser-stored credentials
- Revoke active sessions for email, financial, and social accounts
- Rotate cryptocurrency wallets and transfer funds to new addresses
This case underscores the growing abuse of browser extension supply chains. Compromised extensions bypass many traditional security controls because they operate within the browser’s trusted execution environment.
Notably, this is not the first time browser extensions have been weaponized in ClickFix campaigns. Huntress recently identified another malicious extension that intentionally crashed browsers before displaying fake “fixes” that installed the ModeloRAT remote access trojan.
For enterprises and high-risk users, enforcing strict extension allowlists, monitoring browser permissions, and implementing endpoint detection and response (EDR) solutions remain critical defensive measures against extension-based malware campaigns.