A few days ago a case was detected that reremembers how fragile the browser extension ecosystem can be: an extension for Chrome called "QuickLens - Search Screen with Google Lens" was removed from the Chrome Web Store after a malicious update started distributing code designed to steal credentials and assault cryptomoneda wallets.
QuickLens was born as a practical tool to search with Google Lens directly from the browser and came to bring together a few thousand users; it even appeared outstanding in the Chrome store. However, after a change of hands on your property - the extension was put on sale in a third-party market and, according to researchers, it became managed by an account linked to the mail support @ doodlebuggle.top under an unconvincing commercial name - a later version incorporated hostile code that transformed the extension into an attack vector.
The first public analysis of this manoeuvre was published by the Annex security team., which documented how the update introduced new and dangerous permissions, and how a rule file was added that removed security headers from the sites (including Content-Security-Policy, X-Frame-Options and X-XSS-Protection). You can read the Annex technical report here: annex.security / blog / pixel-perfect /.
The combination of extended permits and the deletion of these headers allowed scripts received from a command and control server to be executed on virtually any page the victims visited. According to the investigation, the extension generated a persistent identifier for each infected browser, obtained information about the user's country (using public endpoints) and consulted the malicious server every five minutes for instructions.
A subsequent journalistic analysis by the BleepingComputer He described in more detail the types of malicious load that the extension downloaded and executed. One of the tricks used was to insert a 1x1 pixel image whose onload event ran inline code on the page - a technique that, combined with the removal of CSP, allowed to remove controls that usually block injected scripts.
Among the loads that the malicious server distributed was one that contacted a domain that simulated to be a Google update and showed a false "Google Update" notice. That notice was not only annoying advertising: by pressing on it the user was given instructions to run a kind of "verification" that actually led to the download of an executable for Windows called googleupdate.ex. The file was analyzed on platforms such as VirusTotal where his artifact was registered.
This binary, according to the traces found, launched PowerShell commands in the background that tried to recover a second component from another URL and run it directly in memory, a classic technique to avoid leaving traces on disk. On the other hand, another script delivered by the command and control server was specifically aimed at cryptomoneda consumers: it detected popular extensions and portfolios (MetaMask, Phantom, Coinbase Wallet, Trust Wallet, among others), with the intention of capturing seed phrases, private keys and activity to empty wallets.
The scope was not limited to cryptoforeign exchange: modules were reported to extract emails, advertising account data on Facebook and even YouTube channel information. The extension sheet also mentioned a possible target for macOS by an infostealer known as AMOS, although that part could not be confirmed independently according to the reports.
In the face of evidence, Google removed QuickLens from the store and Chrome started automatically disabling the extension in affected browsers. Even so, those who installed it must assume that their team may have been compromised.
If you installed QuickLens, there are concrete steps you must do as soon as possible.. First, it eliminates the extension from Chrome's extension management - Google publishes instructions on how to do it on its official support: support.google.com / chrome / ansher / 187443. Then perform a complete analysis with a trusted antivirus or antimalware; tools like Malharebytes They often offer scans capable of detecting artifacts from such campaigns. Change the passwords you stored in the browser and activate the verification in two steps on your most sensitive accounts.
If you were a user of any of the portfolios mentioned, consider that the seed phrase could have been compromised. The most prudent thing is to move the funds to new directions generated by a purse that has not used the compromised keys., preferably using a physical portfolio (hardware walk) if the amount justifies it. See the security recommendations of your portfolio provider for the exact steps to follow; for example, MetaMask maintains security guides that can help you recover the protection of your assets: metamask.io - security.
This incident again highlights several structural problems: the ease with which legitimate extensions can change ownership, the sale of extensions in secondary markets and the high power that browser permissions have when used for malicious purposes. In many cases, attackers do not need to break sophisticated cryptography: it is enough to deceive the user to run a fraudulent update or to deliver his seed phrase.
To reduce the risk in the future, it is necessary to review more carefully the extensions you install, limit their number and prefer those of well-known developers. It is also recommended to review regularly the permits that each extension requests and to remove those that request wide access without a clear reason. The policies of Chrome Web Store they exist to protect the user, but they are not infallible: surveillance and individual prudence remain essential.
In short, QuickLens moved from a useful tool to a real danger after a change of control and a malicious update. Google's elimination and public analysis have stopped the campaign to some extent, but the consequences for affected users can be serious. If you were an extension user: remove it, scan your computer, change passwords and, if you drive cryptomonedas, assume the possibility that the keys are compromised and move your funds to a secure portfolio.
Safety alert Drug critical vulnerability of SQL injection in PostgreSQL requires immediate update
Drucal has published safety updates for a vulnerability qualified as "highly critical" which affects Drumal Core and allows an attacker to achieve arbitrary SQL injection in sit...
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...