analyst @ nohacky :~/briefings $
cat / briefings / quicklens-supply-chain-attack
analyst@nohacky:~/briefings/quicklens-supply-chain-attack.html
reading mode 10 min read
category supply chain
published March 2026
read_time 10 min
author NoHacky

You Didn't Install Malware. You Bought It.

The QuickLens Chrome extension was Google-featured, well-reviewed, and actively maintained. Then it was sold. Sixteen days later, 7,000 users had a crypto-stealing C2 agent running silently in their browser — and they never touched an infected file.

There is a version of this story that the security industry is comfortable telling. A developer's account gets phished. A rogue commit slips through review. A compromised build server injects malicious code into an otherwise clean package. These are failures of process — flaws in pipelines that can, in theory, be patched.

The QuickLens attack is not that story. What happened in February 2026 was not a breach. It was a transaction. Threat actors did not break into anything. They opened a browser, visited a marketplace called ExtensionHub, and bought a trusted tool — along with its user base, its Google-granted "Featured" badge, and the auto-update mechanism that would silently push whatever they wanted into 7,000 browsers worldwide. The exploitation did not begin until they had already won the hard part: earning your trust.

That distinction matters enormously, and it is why this incident deserves a closer analysis than the standard breach postmortem. This is a blueprint, not an accident.

The Product Was the Attack Surface

QuickLens — officially titled QuickLens: Search Screen with Google Lens — was published to the Chrome Web Store on October 9, 2025. It did exactly what it claimed: it let users run Google Lens image searches without leaving their current tab. Features included screen capture, area selection, YouTube frame lookup, and an Amazon product discovery tool. The extension accumulated around 7,000 active users and earned a Featured badge from Google, a designation intended to signal quality and trustworthiness.

Two days after publication — October 11, 2025 — the extension was listed for sale on ExtensionHub, a marketplace where developers sell browser extensions complete with their existing user base and review history. Researchers at Annex Security spotted the listing at that early stage, flagging the rapid turnaround as a potential risk indicator. Their instincts proved correct, though the weaponization would not come for another four months.

context

ExtensionHub is a legitimate, publicly accessible marketplace. Listing a browser extension for sale — including its installed user base — is standard practice in the extension development community. No policy prohibits it. This is the structural vulnerability the attackers exploited, and it requires no hacking skill whatsoever.

On February 1, 2026, ownership of QuickLens transferred to a new entity operating under the email address , registered as "LLC Quick Lens." The new privacy policy was hosted on a barely functional domain with no verifiable presence or business identity. Annex documented this ownership shift, noting every red flag: throwaway domain, no traceable LLC, new privacy policy drafted in what appeared to be a placeholder template. The Chrome Web Store updated the extension's listed owner. No user was notified.

Sixteen days later, on February 17, 2026, version 5.8 was pushed.

Version 5.8: A Full Attack Platform in One Update

The update looked, on the surface, like a routine maintenance release. It requested two new browser permissions — declarativeNetRequestWithHostAccess and webRequest — and included a new background script and a rules.json configuration file. For the average user, this registered as a minor permission prompt, the kind that most people dismiss without reading. For the 7,000 existing users who had already granted the extension access, the update applied automatically.

What the update actually delivered was a multi-stage remote code execution platform built entirely on top of legitimate browser APIs.

Stage One: Dismantling Browser Defenses

The rules.json file used the newly acquired declarativeNetRequestWithHostAccess permission to strip three critical security response headers from every single web page the user visited: Content-Security-Policy (CSP), X-Frame-Options, and X-XSS-Protection. These headers are the browser's primary mechanism for preventing unauthorized script execution and cross-frame manipulation. With them gone, every site the user visited — their bank, their email, their crypto wallet dashboard — became vulnerable to arbitrary JavaScript injection.

"For every page, frame, and request, the security headers are now gone. User traffic is now vulnerable to many new attacks like clickjacking." — Annex Security researchers, February 23, 2026

Stage Two: Establishing Persistent C2 Communication

A rewritten background.js — a file that had no equivalent in the clean 5.7 build — established contact with a command-and-control server at api.extensionanalyticspro[.]top. The domain name was deliberately chosen to blend into legitimate telemetry traffic. Every five minutes, the extension transmitted a unique device identifier, browser version, operating system metadata, and geolocation data harvested via Cloudflare trace endpoints. The C2 returned an array of JavaScript payload strings, which were cached in the browser's local storage under the key cached-agents-data.

A /finish endpoint gave the operator the ability to trigger immediate payload refreshes on demand, meaning the attack could be updated, pivoted, or retargeted at any time without pushing a new extension version.

Stage Three: The 1x1 GIF Pixel Trick

Payload execution used a technique that Annex researchers described as a "1x1 GIF pixel onload trick." For each JavaScript payload string retrieved from the C2, the extension's content.js created a hidden, single-pixel transparent GIF image element in the current page's DOM, assigned the attacker's JavaScript to the image's onload attribute, and then programmatically fired the load event. When the image "loaded," the inline handler executed in the full page context — capable of reading session cookies, capturing form inputs, scraping page content, and exfiltrating data via the browser's own network access.

Because the extension had already stripped CSP headers from the visited page, this inline JavaScript execution worked regardless of what the site's own security policy might have prevented. The defense had been removed before the offense was deployed.

detection note

Because payloads were delivered at runtime from the C2 and never resided in the extension's packaged source code, static review of the extension's files — the primary method used by both the Chrome Web Store review process and third-party security scanners — would have found nothing. The malicious payload existed only in memory, fetched fresh with each execution cycle. Names like safelyProcessElement and extensionanalyticspro were designed to pass visual inspection.

ClickFix: Making the User Do the Work

The first payload retrieved from the C2 contacted a secondary domain, google-update[.]icu, which returned a visually convincing fake Google Update prompt. Clicking it launched a ClickFix attack — and this is where the campaign's sophistication reaches its most instructive point.

ClickFix is not a new exploit. It is a social engineering technique that first appeared in documented threat campaigns in March 2024, initially identified by Proofpoint in campaigns by the initial access broker TA571. Since then it has expanded aggressively: ESET's H1 2025 Threat Report measured a 517% surge in ClickFix detections in the first half of 2025 alone, with the technique accounting for nearly 8% of all blocked threats. Microsoft's 2025 Digital Defense Report confirmed it as the number one initial access method among threats observed by Defender Experts, accounting for 47% of observed attacks — surpassing traditional phishing, which stood at 35%. Proofpoint documented nation-state adoption across a three-month window from late 2024 into early 2025, with groups including North Korea's Kimsuky, Iran's MuddyWater, and Russia's APT28 all incorporating the technique into their standing infection chains.

"By turning the victim into the execution mechanism — having them paste and run the command themselves — the attackers sidestep the very controls the security industry has spent years building. No exploit. No suspicious download." — Moonlock Lab, March 2026

The mechanics are deliberately simple. The fake Google Update prompt instructed Windows users to download a file named googleupdate.exe. The file carried a valid digital signature — issued to an entity called Hubei Da'e Zhidao Food Technology Co., Ltd., a Chinese food technology company with no apparent relationship to software distribution — lending it an air of legitimacy to users who checked. When executed, the file ran a concealed PowerShell command that spawned a second PowerShell process. That second process contacted drivers[.]solutions/META-INF/xuoa.sys using a custom user agent string identifying itself as "Katzilla," retrieved additional instructions, and piped the response directly into Invoke-Expression, enabling fully remote-controlled code execution on the victim's machine.

The user was never tricked into downloading malware. They were tricked into running it themselves. That distinction is what makes ClickFix so resistant to conventional defenses: the execution originates from a trusted user action in a trusted system tool, not from a malicious file that antivirus can intercept at download.

The Full Scope of Data Theft

While the ClickFix component handled Windows users with a full remote access implant, separate JavaScript agents delivered by the C2 conducted targeted data exfiltration regardless of whether the user clicked the fake update prompt.

The cryptocurrency wallet targeting was extensive. The extension actively detected the presence of eleven specific wallet extensions: MetaMask, Phantom, Coinbase Wallet, Trust Wallet, Solflare, Backpack, Brave Wallet, Exodus, Binance Chain Wallet, WalletConnect, and Argon. When any of these were found, the agent attempted to exfiltrate wallet activity data and seed phrases. A seed phrase — typically 12 to 24 words — is a complete cryptographic backup of a wallet. Any attacker who obtains it gains permanent, irrevocable access to all funds in that wallet, regardless of any password change or device wipe the victim might subsequently perform.

Beyond cryptocurrency, a second script captured login credentials and payment card information entered into any web form visited while the extension was active. Additional payloads scraped the contents of Gmail inboxes, extracted Facebook Business Manager advertising account data, and collected YouTube channel information. Researchers at Rescana noted that community reports on Reddit and other forums described browser lockouts, credential theft, and unauthorized asset transfers consistent with this scope of access.

For macOS users, reports indicated targeting with the AMOS (Atomic Stealer) infostealer, a well-documented macOS-focused credential harvester. BleepingComputer noted it could not independently verify this component of the campaign. On the Windows side, the second-stage payload retrieved via PowerShell was identified by researchers as Katzilla — named for the custom Katzilla user agent string the malware used when beaconing to its C2 at drivers[.]solutions.

critical

If you had QuickLens installed at any point after February 17, 2026, and you use any browser-based cryptocurrency wallet, treat your seed phrase as fully compromised. Transferring funds to a wallet with a freshly generated seed phrase is not optional — it is the only effective remediation. A compromised seed phrase remains valid forever. Changing passwords or reinstalling Chrome does not protect funds associated with a leaked seed phrase.

The Structural Problem No One Wants to Fix

It would be convenient to frame this as a Google failure — a gap in the Chrome Web Store's review process. And there is a gap: Google's extension review, whether manual or automated, focuses on the code submitted at upload. Runtime-fetched payloads are invisible to any static analysis. The malicious version 5.8 contained no ready-to-execute malware in its package. It contained a loader that fetched malware on demand, and the loader looked like analytics code. When Google ultimately removed QuickLens from the store, the removal notice cited a generic "policy violation" — not malware, not a supply chain compromise, not a runtime payload threat. The review infrastructure has no category for what actually happened.

But the deeper structural problem is the extension marketplace ecosystem itself. ExtensionHub, the platform through which QuickLens was sold, operates entirely within legal boundaries. Selling a browser extension, including its user base, is a normal commercial activity. The platform has no mechanism to verify the intent of a buyer, no requirement to notify existing users that ownership has transferred, and no obligation to alert Google that a potentially sensitive asset has changed hands.

This creates a reliable acquisition pipeline for attackers. Rather than spending months building user trust through organic growth, they can simply purchase it. A 7,000-user extension with a Featured badge and positive reviews represents a fully operational attack surface, available for purchase, with no technical skill required to acquire it. The attacker's only barrier is knowing the marketplace exists and having a budget for the purchase price.

John Tuckner, founder of Annex Security and the researcher who first publicly reported the QuickLens compromise on February 23, 2026, noted that the extension had been flagged at the initial ExtensionHub listing in October 2025 — more than four months before the malicious update was deployed. The timeline between listing and weaponization suggests either deliberate patience, a delay in finding a buyer, or both. What it confirms is that the threat window opened the moment the original developer listed it for sale.

"The QuickLens incident shows how a highly rated, Featured extension can become a browser-resident C2 client with one update, turning 7,000 legitimate installs into an attack surface without any new downloads." — GBHackers, March 2026

This is also not an isolated case. In January 2026, Huntress documented a variant called CrashFix — delivered through a malicious extension called NexShield impersonating the legitimate uBlock Origin Lite ad blocker — that deliberately crashed the victim's browser through an infinite loop of Chrome runtime connections, then displayed fake repair prompts to install the ModeloRAT Python remote access trojan. Microsoft Defender Experts independently confirmed CrashFix as a "notable escalation in ClickFix tradecraft." The broader ClickFix technique has spawned a documented family of variants: FileFix, which directs users to paste commands into File Explorer's address bar rather than the Run dialog; CrashFix, described above; and ConsentFix — discovered by Push Security in December 2025 — an OAuth-based variant that tricks users into pasting a URL containing their own Azure CLI authorization code into a phishing page, granting the attacker full control of the victim's Microsoft account without requiring a password, an MFA code, or any endpoint interaction whatsoever. The attack surface is not narrowing.

What to Do Right Now

Google removed QuickLens from the Chrome Web Store following disclosure and automatically disabled it in affected browsers. If you have not already confirmed the extension is gone, open chrome://extensions and verify it is absent. If Chrome has flagged it as disabled malware, the flag confirms your browser was exposed to the malicious version.

Beyond removal, the following actions are warranted for anyone who had the extension installed after February 17, 2026:

  • Run a full malware scan with updated definitions, paying specific attention to PowerShell artifacts and dropped executables in your temp and AppData directories.
  • Reset all passwords stored in your browser — every site where autofill may have submitted credentials while the extension was active should be treated as compromised.
  • Check saved payment methods in your browser and with financial institutions for any unauthorized activity.
  • If you use any of the eleven targeted crypto wallets, transfer all funds to a wallet with a freshly generated seed phrase immediately. Do not reuse the existing seed phrase under any circumstances.
  • Review your Gmail for unexpected sent messages, filter rules, or forwarding addresses that could indicate inbox scraping followed by ongoing access.
  • Check Facebook Business Manager for any unfamiliar ad campaigns, audience exports, or payment method changes.

For organizations, the remediation scope is wider. Browser extensions are rarely treated as part of the enterprise software supply chain — they do not go through procurement, they are not inventoried, and ownership changes are not monitored. This incident makes a strong case for treating them with the same scrutiny applied to any third-party software dependency.

Key Takeaways

  1. Trust signals do not transfer with ownership: A Featured badge, positive reviews, and months of legitimate operation are attributes of a specific developer's work. When ownership transfers, those signals become inherited credibility that the new owner did nothing to earn. There is currently no mechanism to alert users when this happens.
  2. Static code review cannot catch runtime-fetched payloads: The malicious version 5.8 contained no ready-to-execute malware in its submitted package. Any review system that evaluates only the uploaded code will miss this class of attack entirely. Runtime behavior monitoring is the only reliable counter.
  3. ClickFix succeeds because it makes the victim the delivery mechanism: By requiring the user to manually execute a command, attackers bypass download scanners, Safe Browsing alerts, and endpoint protection tools that intercept incoming files. The defense gap is not technical — it is behavioral, and it requires deliberate user education to close.
  4. The extension marketplace model is an open acquisition pipeline: Any extension with a substantial user base can be purchased by a threat actor today, through a legal transaction, with no notification to affected users. This is a structural vulnerability in the browser extension ecosystem that vendor-level policy changes are needed to address.
  5. Seed phrase compromise is permanent: Unlike passwords, seed phrases cannot be changed. Once exposed, the only remedy is fund migration to a new wallet. Users who rely on browser-based wallets need to understand this risk in concrete terms before an incident occurs.

Attribution for the QuickLens campaign remains unconfirmed, with no identified links to established APT groups. Rescana's analysis and BleepingComputer's reporting both characterize the targeting profile as indiscriminate and financially motivated — consistent with organized cybercriminal operations rather than state-sponsored espionage. What can be said with confidence is that the attack required no zero-days, no advanced persistent infrastructure, and no insider access. It required a marketplace listing, a purchase, and one update. That is the threat model the industry needs to start designing against.

Sources

  1. Tuckner, J. (February 23, 2026). Annex Security — Original disclosure report on QuickLens compromise. secureannex.com/blog
  2. BleepingComputer (February 28, 2026). "QuickLens Chrome extension steals crypto, shows ClickFix attack." bleepingcomputer.com
  3. Rescana (March 2, 2026). "QuickLens Chrome Extension Supply Chain Attack: Cryptocurrency Theft and ClickFix Malware Campaign Analysis." rescana.com
  4. SC World (March 2, 2026). "Malicious Chrome extension QuickLens removed after stealing crypto and spreading malware." scworld.com
  5. TechRepublic (March 3, 2026). "Chrome Extension Hijacked to Deliver Malware, Steal Crypto Wallets." techrepublic.com
  6. GBHackers (March 2, 2026). "Pixel Perfect Browser Extension Exploited for Stealth Script Injection and Security Header Stripping." gbhackers.com
  7. eSecurity Planet (March 2, 2026). "Chrome Extension Hijacked to Push ClickFix Malware." esecurityplanet.com
  8. CoinTelegraph (March 3, 2026). "ClickFix hackers pose as VCs, hijack QuickLens in latest crypto attacks." cointelegraph.com
  9. Moonlock Lab (March 3, 2026). ClickFix fake venture capital campaign analysis. Referenced via CoinTelegraph.
  10. Microsoft (October 2025). 2025 Digital Defense Report — source of the 47% ClickFix initial access figure and ClickFix as #1 attack method among Defender Expert notifications. microsoft.com/MDDR-2025
  11. Microsoft Security Blog (August 21, 2025). "Think Before You Click(Fix): Analyzing the ClickFix Social Engineering Technique." Detailed technical analysis of ClickFix campaign mechanics. microsoft.com/security
  12. Proofpoint (February 2025). "Security Brief: ClickFix Social Engineering Technique Floods the Threat Landscape." proofpoint.com
  13. Infosecurity Magazine (June 26, 2025). "ClickFix Attacks Surge 517% in 2025." Reporting on ESET H1 2025 Threat Report data. infosecurity-magazine.com
  14. Proofpoint (April 17, 2025). "Around the World in 90 Days: State-Sponsored Actors Try ClickFix." Documentation of nation-state adoption by Kimsuky (TA427), MuddyWater (TA450), APT28 (TA422), and UNK_RemoteRogue. proofpoint.com
  15. Huntress (January 16, 2026). "Dissecting CrashFix: KongTuke's New Toy." Primary technical research disclosing CrashFix variant, NexShield extension, and ModeloRAT. huntress.com
  16. SecurityWeek (January 19, 2026). "Malicious Chrome Extension Crashes Browser in ClickFix Variant 'CrashFix'." securityweek.com
  17. U.S. Department of Health and Human Services / HC3 (October 29, 2024). "ClickFix Attacks Sector Alert." hhs.gov
  18. Push Security (December 11, 2025). "ConsentFix: Browser-native ClickFix hijacks OAuth grants." Discovery of OAuth-based ClickFix variant abusing Azure CLI to achieve full Microsoft account takeover without password or MFA. pushsecurity.com
  19. Microsoft Security Blog (February 5, 2026). "ClickFix Variant 'CrashFix' Deploying Python Remote Access Trojan." Independent technical confirmation of CrashFix as "notable escalation in ClickFix tradecraft." microsoft.com/security
— end of briefing