Two previously legitimate Google Chrome extensions have reportedly become malicious after being sold to new owners.
The affected extensions are QuickLens – Search Screen with Google Lens, which had around 7,000 users, and ShotBird – Scrolling Screenshots, Tweet Images & Editor, used by about 800 people. Both were originally linked to developer Akshay Anu but were later transferred to different owners.
Security researchers say the new versions of the extensions were modified to carry out malicious activities like disabling certain browser security protections, injecting malicious code into websites, and collecting sensitive user information.
The ShotBird extension reportedly displays a fake Google Chrome update prompt. If users follow the instructions, they may download malware disguised as an update file called googleupdate.exe. Once installed, the malware can capture data entered into websites, such as login credentials, PINs, card details, and other personal information.
Meanwhile, QuickLens kept its original features but added the ability to bypass website security policies and run hidden scripts received from a remote server. Researchers believe the same attacker is behind both incidents because the extensions use similar command-and-control systems and attack methods.
QuickLens has already been removed from the Chrome Web Store, but ShotBird was still available at the time the research was published. Security experts advise users to remove suspicious extensions and review the browser permissions regularly.