{"id":221595,"date":"2026-03-09T06:28:00","date_gmt":"2026-03-09T10:28:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/03\/09\/chrome-extension-turns-malicious-after-ownership-transfer-enabling-code-injection-and-data-theft\/"},"modified":"2026-03-09T11:25:09","modified_gmt":"2026-03-09T15:25:09","slug":"chrome-extension-turns-malicious-after-ownership-transfer-enabling-code-injection-and-data-theft","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/03\/09\/chrome-extension-turns-malicious-after-ownership-transfer-enabling-code-injection-and-data-theft\/","title":{"rendered":"Chrome Extension Turns Malicious After Ownership Transfer, Enabling Code Injection and Data Theft"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/03\/chrome-extension-turns-malicious-after.html\">Chrome Extension Turns Malicious After Ownership Transfer, Enabling Code Injection and Data Theft<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/03\/chrome-extension-turns-malicious-after.html\">https:\/\/thehackernews.com\/2026\/03\/chrome-extension-turns-malicious-after.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-03-09 06:28:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Two Google Chrome extensions have turned malicious after what appears to be a case of ownership transfer, offering attackers a way to push malware to downstream customers, inject arbitrary code, and harvest sensitive data.<\/p>\n<p>The extensions in question, both originally associated with a developer named &#8220;akshayanuonline@gmail.com&#8221; (BuildMelon), are listed below &#8211;<\/p>\n<ul>\n<li>QuickLens &#8211; Search Screen with Google Lens (ID: kdenlnncndfnhkognokgfpabgkgehodd) &#8211; 7,000 users<\/li>\n<li>ShotBird &#8211; Scrolling Screenshots, Tweet Images &#038; Editor (ID: gengfhhkjekmlejbhmmopegofnoifnjp) &#8211; 800 users<\/li>\n<\/ul>\n<p>While QuickLens is no longer available for download from the Chrome Web Store, ShotBird remains accessible as of writing. ShotBird was originally launched in November 2024, with its developer, Akshay Anu S (@AkshayAnuOnline), claiming on X that the extension is suitable for &#8220;creating professional, studio-like visuals,&#8221; and that all processing happens locally.<\/p>\n<p>According to research published by monxresearch-sec, the browser add-on received a &#8220;Featured&#8221; flag in January 2025, before it was passed on to a different developer (&#8220;loraprice198865@gmail.com&#8221;) sometime last month.<\/p>\n<p>In a similar vein, QuickLens was listed for sale on ExtensionHub on October 11, 2025, by &#8220;akshayanuonline@gmail.com&#8221; merely two days after it was published, Annex Security&#8217;s John Tuckner said. On February 1, 2026, the extension&#8217;s owner changed to &#8220;support@doodlebuggle.top&#8221; on the Chrome Web Store listing page.<\/p>\n<p>The malicious update introduced to QuickLens on February 17, 2026, kept the original functionality but introduced capacities to strip security headers (e.g., X-Frame-Options) from every HTTP response, allowing malicious scripts injected into a web page to make arbitrary requests to other domains, bypassing Content Security Policy (CSP) protections.<\/p>\n<p>In addition, the extension contained code to fingerprint the user&#8217;s country, detect the browser and operating system, and polls an external server every five minutes to receive&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/03\/chrome-extension-turns-malicious-after.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Chrome Extension Turns Malicious After Ownership Transfer, Enabling Code Injection and Data Theft https:\/\/thehackernews.com\/2026\/03\/chrome-extension-turns-malicious-after.html Publish&#8230;<\/p>\n","protected":false},"author":1,"featured_media":221596,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgH49NW0X18R8bc0fzFm6aPt92f15pxPq-HLMfyFmsApiXvZEsCn4z9qNQErHHvW34SFXKUPWy7mK70hM06Ld6Cxa4DioW7xjV9jnMamMF3DDKIQ39VwJhvq7l4bO79yzGp8huA6ewRk-XdWvJSeYT8fs16PdOa9BSxdbzw0hIwC1PVxh9uY5L0Wx3nNMAL\/s1600\/chrome-malware.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[32],"class_list":["post-221595","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/221595"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=221595"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/221595\/revisions"}],"predecessor-version":[{"id":221597,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/221595\/revisions\/221597"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/221596"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=221595"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=221595"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=221595"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}