Back to articles

Extension ownership transfers: how to protect yourself when your add-on changes hands

QuickLens was hijacked via ownership transfer to push ClickFix attacks and crypto-stealing malware. Here's how to check your extensions are still safe.

Maxim Kosterin
8 min read

Your browser extensions don't always stay with the developer who built them. They get sold, transferred, and inherited — and when that happens, you usually have no idea.

That's what happened to users of QuickLens ("Search Screen with Google Lens") on February 17, 2026. According to BleepingComputer, the extension's ownership changed hands on February 1, 2026. The new owners spent 16 days before pushing version 5.8 — a malicious update that deployed ClickFix social engineering attacks and an infostealer targeting MetaMask, Exodus, and Trust Wallet. Google has since removed QuickLens from the Chrome Web Store, and Chrome auto-disabled it for affected users.

Here's the uncomfortable truth: you'd have had no way to know this was coming. Chrome doesn't notify you when extension ownership changes. There's no visible history, no alert, no badge on the extension icon. One day it's built by a legitimate developer; the next, it belongs to someone with completely different intentions — and the update that follows is delivered silently through the same auto-update channel you've always trusted.

What the attack actually looked like

When a user with QuickLens installed opened their browser after the malicious update, the extension contacted google-update[.]icu — a domain designed to look like a legitimate Google service. From there, it downloaded a secondary payload that rendered a fake Google Update prompt inside the browser.

That prompt was the ClickFix attack.

ClickFix is a social engineering technique that's been appearing across multiple 2026 attack campaigns, from ransomware delivery to corporate credential theft. The mechanic is straightforward: present the user with a fake "verification required" or "update needed" dialog, then instruct them to click a button or paste a command into PowerShell to proceed. In the QuickLens case, the fake update button executed a PowerShell command that connected to attacker infrastructure and downloaded an infostealer payload.

The infostealer specifically targeted:

  • MetaMask, Exodus, and Trust Wallet browser extensions (their seed phrases and stored wallet data)
  • Saved browser credentials stored in Chrome's password manager
  • Other sensitive data the infostealer was configured to extract

What makes ClickFix effective is that it sidesteps the browser's security model entirely by delegating execution to the user. The extension doesn't exploit a vulnerability. It doesn't need elevated system permissions. It just shows you a prompt that looks official and relies on you pressing the button. In real attack scenarios, most people do — especially when the dialog looks like something they've seen from Google before.

Microsoft Defender now detects some ClickFix variants as Behavior:Win32/SuspClickFix.C, but detection happens after execution. By then, whatever the payload was designed to steal has already been transmitted.

Why ownership transfers are uniquely dangerous

Most people think about extension threats in terms of new malicious extensions — fake AI tools, obvious scams with zero reviews, newly created publisher accounts. Ownership transfer attacks work the exact opposite way. They start with legitimacy and turn it into a weapon.

When you install an extension, you're extending trust to its developer at that moment. But that trust doesn't expire, and it doesn't follow the developer — it follows the extension ID. When Chrome Web Store ownership transfers, your trust transfers with it. The new owner inherits everything: the existing install base, verified reviews, years of positive ratings, and — critically — automatic update delivery to every user who installed it previously.

The attacker who acquired QuickLens didn't need to convince anyone to install anything. They bought an audience.

The Chrome Web Store gives users zero visibility into this process. There's no ownership history. You can see who currently publishes an extension, but not whether that changed last week. An extension you installed two years ago from a trusted indie developer might now belong to a completely different organization with completely different intentions — and you'd have no way to know without actively going to look.

This fits into a broader pattern of 2026 extension supply chain compromises. The crypto-wallet targeting seen in QuickLens echoes the Trust Wallet Shai-Hulud attack earlier in February, and the Phantom Shuttle proxy-hijacking campaign that reportedly operated since 2017. What these attacks share: targeting extensions that already have established user bases, then weaponizing existing trust. Ownership transfer is the cleanest version of this — no technical exploitation required, just a marketplace transaction.

Did you have QuickLens installed?

The extension's Chrome Web Store ID was ljbondlpjlebeigkfhbpejnlhpholfpn. You can check your installed extensions at chrome://extensions/ in Chrome's address bar. If it's still listed, remove it.

If you had QuickLens installed and saw any popup asking you to verify your browser, complete a CAPTCHA, or run a command — treat your credentials as potentially compromised. Here's what to do:

Rotate passwords stored in Chrome. Start with high-value accounts: email, financial services, crypto exchanges. Don't wait.

Check your crypto wallets. If you use MetaMask, Exodus, or Trust Wallet via a browser extension, review your transaction history for the February 17–20 window. If there's any chance your seed phrase was exposed, create a new wallet and transfer assets to it immediately. Never reuse a potentially compromised seed phrase.

Run a full malware scan. BleepingComputer recommends scanning your device for any persisted components the infostealer may have dropped. Windows Defender, Malwarebytes, or your preferred security tool — run a full scan now.

Revoke active sessions for sensitive services. Many platforms let you log out all active sessions from account security settings. Do it for anything important.

If you had QuickLens installed but never interacted with the fake prompt, you're likely fine. Still worth checking wallet activity from that window just to be certain.

Five steps to protect yourself going forward

The QuickLens incident is contained. But ownership transfer attacks aren't going away, and neither is ClickFix. Here's what actually helps long-term:

1. Never run commands that browser extensions ask you to run. This is the single most important rule for ClickFix defense. No legitimate extension will ever ask you to open PowerShell, Terminal, or any command interface to verify your identity, complete an update, or prove you're human. If you see that kind of prompt, close it and remove the extension — no exceptions.

2. Audit extensions you installed more than six months ago. Old extensions are your highest-risk category. Developers move on, burn out, sell their projects. An extension you installed in 2022 and haven't thought about since could have changed hands multiple times. Go through your list and ask: do I actually use this? Do I know who currently makes it? You can check extension security profiles on Extenshi to see what permissions each extension holds and flag anything that looks off.

3. Pay attention to broad-permission extensions. Extensions with <all_urls> host permissions combined with the scripting permission can inject JavaScript into any page you visit — your bank, your email, your crypto exchange. Not every extension with these permissions is a threat, but every extension doing what QuickLens did needs exactly these permissions. Check which of your extensions have this level of access at catalog.extenshi.io.

4. Notice unexpected update activity. Major version jumps or sudden changes in an extension's update frequency can signal something changed in the development team. Chrome's auto-update is generally a good thing, but for extensions with access to sensitive data, it's worth periodically reviewing the version history and checking whether the developer contact info still matches what you remember.

5. Move significant crypto off browser extensions. Browser extension wallets are convenient. They're also fully exposed to every other extension running in your browser. For meaningful holdings, hardware wallets (Ledger, Trezor) keep seed phrases in a separate physical device that browser extensions — malicious or otherwise — cannot access.

The structural problem that makes this possible

The QuickLens attack exposes a real gap in how extension stores handle ownership changes. When a developer sells or transfers an extension, there's no mechanism to inform existing users. The extension keeps its name, icon, reviews, and install count. The only thing that might change is the developer email — and even that isn't prominently surfaced anywhere in the browser.

This is a metadata visibility problem. npm, by comparison, logs package ownership history. A developer can look up when a package transferred and who currently maintains it. Browser extensions have no equivalent audit trail.

It's one of the signals that Extenshi's extension catalog tracks. When extension metadata changes — developer information, permissions, significant version updates — it's logged in the extension's history. Not a complete solution, but the kind of structural visibility that the Chrome Web Store itself doesn't currently offer.

If you haven't reviewed your extensions recently, now is a good time.

Scan your extensions on Extenshi →


This article is based on publicly available security research and news reporting. Extenshi does not independently verify all claims made by third-party researchers. References to specific companies or products reflect the findings of cited sources and do not constitute accusations of intentional wrongdoing. If you believe any information is inaccurate, please contact us at [email protected].

Related Articles