Chrome Extensions Compromised Through Developer Account Takeover
Two Google Chrome extensions became malicious on March 9, 2026, after their ownership was transferred from the original developer. The extensions, initially created by BuildMelon under the email akshayanuonline@gmail.com, were compromised to deliver malware and harvest user data. One of the affected extensions is QuickLens - Search Screen, while the second extension's full name wasn't disclosed in security reports.
The attack represents a supply chain compromise where legitimate browser extensions are weaponized after bad actors gain control of developer accounts. This method allows attackers to push malicious updates to users who already trust and have installed the extensions.
Chrome Users With Installed Extensions at Risk
Users who previously installed QuickLens and the second compromised extension are directly affected by this attack. The malicious code can inject arbitrary scripts into web pages, potentially compromising any website the user visits while the extension remains active.
The attack scope includes data harvesting capabilities that could expose browsing history, form inputs, login credentials, and other sensitive information processed through the browser. Chrome's extension permission model means these extensions likely had broad access to user web activity.
Malware Injection and Data Theft Capabilities Confirmed
The compromised extensions gained the ability to inject arbitrary code into web pages and distribute additional malware payloads to infected systems. Security researchers identified data harvesting functions that could steal sensitive user information during normal browsing sessions.
Chrome users should immediately remove QuickLens and check their installed extensions for any suspicious activity. Google's Chrome Web Store security team typically removes malicious extensions once identified, but users who installed them before detection remain vulnerable until manual removal.
