After ownership is transferred, the Chrome extension becomes malicious, allowing code injection and data theft.

Following what appears to be a case of ownership transfer, two Google Chrome extensions have turned malicious, giving attackers a means to harvest sensitive data, inject arbitrary code, and distribute malware to downstream users This article explores web store shotbird. . The extensions in question are listed below; QuickLens is no longer available for download from the Chrome Web Store, but ShotBird is still available as of this writing.

Both extensions were initially linked to a developer named "akshayanuonline@gmail.com" (BuildMelon). When ShotBird was first released in November 2024, its developer, Akshay Anu S (@AkshayAnuOnline), stated on X that the extension is appropriate for "creating professional, studio-like visuals," and that all processing takes place locally.

The browser add-on was flagged as "Featured" in January 2025 before being transferred to another developer ("loraprice198865@gmail.com") at some point last month, according to research published by monxresearch-sec. Similarly, two days after it was published, on October 11, 2025, "akshayanuonline@gmail.com" listed QuickLens for sale on ExtensionHub, according to John Tuckner of Annex Security. Even though there aren't any extensions for sale right now, the developer has an ExtensionHub account.

Additionally, the person has tried to sell domains such as "AIInfraStack[. ]com" for $2,500, claiming that the "strong keyword domain" is "relevant for [sic] rapidly growing AI ecosystem." "This is the extension supply chain problem in a nutshell," stated Annex Security.

"Every current user receives a weaponized update from the new owner of a 'Featured,' reviewed, functional extension." The revelation coincides with Microsoft's warning about malicious browser extensions based on Chromium that pose as trustworthy AI assistant tools in order to collect browsing and chat histories from LLM. According to the Microsoft Defender Security Research Team, "at scale, this activity turns a seemingly trusted productivity extension into a persistent data collection mechanism embedded in everyday enterprise browser usage, highlighting the growing risk browser extensions pose in corporate environments."

Threat hunters have also discovered lmToken Chromophore (ID: bbhaganppipihlhjgaaeeeefbaoihcgi), a malicious Chrome extension that poses as imToken and advertises itself in the Chrome Web Store as a hex color visualizer in order to steal cryptocurrency seed phrases via phishing redirects.

AI Output Algo Tool (ID: eeoonfhmbjlmienmmbgapfloddpmoalh) and two other extensions that display the same browser-hijacking behavior consistent with OmniBar via home page override and search interception are thought to be the ultimate goal of what appears to be a large-scale affiliate marketing scheme, according to Unit 42. The official extension for Serpey.com is hokdpdlchkgcenfpiibjjfkfmleoknkp. A more thorough examination of three additional extensions released by the same developer ("jon@status77.com" and Status 77) revealed that two of them monitor user browsing activity in order to insert affiliate markers, while a third one extracts and sends user Reddit comment threads to an API endpoint under developer control called Care.Sale (ID: jaioobipjdejpeckgojiojjahmkiaihp) Official Extension of Giant Coupons (ID: akdajpomgjgldidenledjjiemgkjcchc) Reddit Comment: Consensus Summarizer (ID: mkkfklcadlnkhgapjeejemflhamcdjld) People who have It is recommended that users who have installed any of the aforementioned extensions remove them from their browsers right away, refrain from side-loading or installing unreliable productivity extensions, and check their browsers for any unknown extensions and remove them.