The QuickLens Chrome extension was recently pulled from the Web Store after a malicious update compromised roughly 7,000 users. Following an ownership change, version 5.8 introduced scripts designed to execute ClickFix attacks and steal cryptocurrency data by bypassing browser security headers.
QuickLens was originally a legitimate tool designed to integrate Google Lens search capabilities directly into the Chrome browser. Over time, it gained a significant user base and even earned a featured badge from Google, signaling a high level of perceived trust. However, security researchers discovered that the extension was sold on a developer marketplace in early February 2026 to a new entity operating under a suspicious domain.
On February 17, the new owners pushed version 5.8, which fundamentally altered the extension's behavior by requesting invasive permissions. These permissions allowed the software to modify network requests and strip away essential security headers like Content-Security-Policy and X-Frame-Options. By removing these protections, the extension made it significantly easier to inject and run unauthorized scripts on any website the victim visited.
Once the security barriers were lowered, the extension established a connection with a command-and-control server to begin fingerprinting the user's system. It collected data regarding the victim's geographic location, operating system, and browser version, assigning each infected machine a unique identifier. The extension was programmed to check back with the server every five minutes to receive new instructions and malicious payloads.
Users began reporting the infection after encountering persistent, fake Google Update alerts that blocked their ability to browse the web. These pop-ups attempted to trick victims into copying and running malicious code via the Windows Run box, a classic hallmark of ClickFix social engineering. Many victims noted that the alerts appeared on every site they visited, rendering their browsers nearly unusable and creating a high risk for credential theft.
Technical analysis revealed that the extension used a clever execution trick involving 1x1 GIF pixels to trigger the malicious JavaScript on every page load. By the time the extension was officially removed from the Chrome Web Store, it had already attempted to harvest sensitive data and cryptocurrency information from thousands of unsuspecting people. This incident serves as a stark reminder of the risks associated with browser extensions changing ownership behind the scenes.
Source: QuickLens Chrome Extension Steals Crypto, Mimics ClickFix Campaign