A popular Chrome extension called QuickLens, which enabled Google Lens searches directly in the browser, was hijacked after being sold on a marketplace and subsequently pushed malicious updates to its approximately 7,000 users. The extension's new owners released version 5.8 on February 17, 2026, introducing code that stripped critical security headers from websites and established communication with a command-and-control server. This allowed the extension to poll for instructions every five minutes and execute malicious JavaScript on every page load.
Affected users began reporting persistent fake Google Update alerts appearing on every website, displaying ClickFix prompts that instructed them to run verification code on their computers. Windows victims who complied downloaded a signed executable that launched hidden PowerShell commands, though the second-stage payload became unavailable during analysis. The extension also deployed cryptocurrency theft scripts targeting over a dozen popular wallets including MetaMask, Phantom, and Coinbase Wallet, attempting to steal seed phrases and wallet activity.
Additional malicious components scraped Gmail inbox contents, extracted Facebook Business Manager data, and collected YouTube channel information. The extension's new ownership was traced to an LLC with a barely functional domain, and the malicious update requested expanded permissions including network request manipulation. Google has since removed QuickLens from the Chrome Web Store and automatically disabled it for affected users, who are advised to completely remove the extension, scan for malware, reset browser-stored credentials, and transfer funds from any cryptocurrency wallets used. This incident follows a similar pattern from last month where another extension used ClickFix techniques to deploy ModeloRAT malware.
Read more...