A once-featured browser extension has been used for covert script injection and security header removal after a silent update weaponized the tool. The extension, QuickLens, a Google Lens wrapper, was acquired by new ownership and subsequently transformed into a remote code execution platform, potentially exposing thousands of users to significant cybersecurity risks.
The campaign, identified by Annex analysts, highlights the vulnerability of even seemingly reputable browser add-ons. QuickLens, initially a legitimate and functional tool for image searching via Google Lens, offered features like screen capture and product lookup. It had amassed 7,000 active users and even received a “Featured” badge from Google, underscoring its perceived trustworthiness.
QuickLens Extension Abuse Enables Covert Script Injection
The timeline of events reveals a rapid shift in the extension’s functionality. First published on October 9th, 2025, QuickLens was listed for sale on ExtensionHub just two days later, on October 11th. Ownership of the extension officially transferred on February 1st, 2026, to an unverified entity operating under the domain supportdoodlebuggle.top, registered as LLC Quick Lens. This entity lacked any verifiable online presence, raising immediate red flags.
A critical update, version 5.8, was released on February 17th, 2026. This update silently introduced a command-and-control (C2) platform to all 7,000 users. The update requested new permissions, including `declarativeNetRequestWithHostAccess` and `webRequest`, which most users likely accepted without thorough review, a common practice for many browser users.
The primary mechanism of the attack involved the `rules.json` file. This file instructed the extension to strip vital browser security headers from every HTTP response. Headers such as Content-Security-Policy (CSP), X-Frame-Options, and X-XSS-Protection were removed. This action effectively disarmed user protections against common web exploits like clickjacking, cross-site scripting (XSS), and unrestricted cross-domain requests, leaving users highly vulnerable.
The core of the exploited technique relies on a “pixel injection mechanism.” The C2 server delivered JavaScript code as an array of strings, stored in the browser’s local storage under the label `cached-agents-data`. When a user visited any webpage, the extension would execute this stored payload. This execution was cleverly disguised using a 1×1 transparent GIF image. The extension would create a hidden image element, with its source set to a base64 encoded data URI of the transparent GIF. Crucially, the malicious JavaScript payload was attached as an inline `onload` attribute to this image element.
Because the extension had globally stripped CSP headers, any inline event handlers, like the `onload` attribute, were no longer blocked. The browser, in processing the image, would execute the script in the full context of the current webpage. This granted the attackers direct access to sensitive information on the screen. The malicious code could then read session tokens, capture form inputs, scrape page content, and exfiltrate this data to external servers, all while the extension continued to function normally as a Google Lens tool.
Detecting this threat was particularly challenging as the malicious payload was not present in the extension’s static source files. Static code analysis would only reveal a function for creating image elements. The JavaScript code was delivered dynamically at runtime from the C2 server. Furthermore, internal naming conventions, such as `safelyProcessElement` and `cached-agents-data`, were designed to mimic legitimate browser activity, making them appear innocuous.
Organizations are advised to implement strict browser extension allowlisting policies. Proactive monitoring for unexpected permission changes, especially the addition of `declarativeNetRequest` and `webRequest` permissions, is also recommended. End-users should regularly audit their installed extensions and approach any unsolicited permission update prompts with caution. As a general security best practice, extensions undergoing ownership changes warrant careful review before continued usage.
Indicators of Compromise (IoCs) for this campaign include the extension ID `kdenlnncndfnhkognokgfpabgkgehodd`, the extension name “QuickLens – Search Screen with Google Lens,” and the malicious version 5.8. The C2 domain identified is `api.extensionanalyticspro.top`, with a developer email `[email protected]` and a privacy policy domain `kowqlak.lat`. The SHA-256 hash associated with the malicious package is `fa3d0c8c8e9f3dacaa9f34e42ad63dceeba16689e055b90e9a903fa274d35df0`. The removal date from affected stores was February 17th, 2026.
The ongoing threat landscape necessitates vigilance from both users and organizations. The ease with which legitimate extensions can be weaponized underscores the importance of robust security practices in managing browser add-ons. Further details are expected as Annex continues its analysis of the campaign’s full scope and potential impact.