A browser extension that once earned a Featured badge from Google quietly turned into a remote code execution tool after its ownership changed hands, exposing thousands of users to covert script injection and full browser security header stripping.
The campaign, centered on a legitimate-looking Google Lens wrapper called QuickLens, highlights how even a well-reviewed, functional extension can be weaponized overnight through a single silent update.
QuickLens was a practical tool that let users search images using Google Lens directly from the browser. It offered screen capture, area selection, YouTube frame search, and an Amazon product lookup.
The extension grew to 7,000 active users and received a Featured badge from Google.
It was first published to the Chrome Web Store on October 9th, 2025, and just two days later, on October 11th, it was listed for sale on ExtensionHub — a marketplace where developers sell their extensions, including their existing user base.
Annex analysts identified this threat at multiple stages, starting with the sale listing in October 2025.
On February 1st, 2026, the extension’s ownership transferred to an unverified entity operating under the domain supportdoodlebuggle.top, registered as LLC Quick Lens — a throwaway identity with no verifiable presence online.
The privacy policy was relocated to kowqlak.lat. On February 17th, version 5.8 was released, and with it, a fully operational command-and-control (C2) platform was quietly pushed to all 7,000 users.
QuickLens 5.8 became a remote code execution platform (Source – Annex)
The update introduced three core changes: a new C2 server at api.extensionanalyticspro.top embedded in the background service worker, two new permissions — declarativeNetRequestWithHostAccess and webRequest — and a brand-new rules.json file.
For most users, this came through as a standard permission update prompt — the kind most people accept without review.
The rules.json file caused the most immediate harm. It instructed the extension to remove all meaningful browser security headers from every HTTP response, including Content-Security-Policy (CSP), X-Frame-Options, and X-XSS-Protection.
This effectively stripped protection from every page visited, leaving users exposed to clickjacking, cross-site scripting, and unrestricted cross-domain requests.
The Pixel Injection Mechanism
The execution technique at the core of this attack is built around a deceptively simple trick. The C2 server delivers JavaScript code to the extension in the form of an array of strings, which is saved in the browser’s local storage under the label cached-agents-data.
On every page visited, the extension reads this stored payload and executes it through a 1×1 transparent GIF image — the technique researchers refer to as the pixel trick.
The extension creates a hidden image element inside the web page, with its source set to a 1×1 transparent GIF encoded as a base64 data URI. This image loads instantly without making any outbound network request.
The JavaScript payload from the C2 server is then attached as an inline onload attribute on that image element.
The moment the browser processes the image, the script executes in the full context of the current page, giving the attacker direct access to everything on screen.
This technique works precisely because Content-Security-Policy would normally block inline event handlers on any well-configured site. Since version 5.8 stripped CSP headers globally, the payload runs freely across every page visited.
Malicious Update (Source – Annex)
The injected code can read session tokens, capture form inputs, scrape page content, and send stolen data to external servers — all while the extension continues functioning normally as a Google Lens tool, leaving users with no reason to suspect anything is wrong.
What makes this attack especially difficult to detect is that the malicious payload never appears inside the extension’s source files. Static code analysis reveals nothing more than a function that creates image elements.
The JavaScript arrives from the C2 server only at runtime. Even the internal naming — safelyProcessElement, cached-agents-data, extensionanalyticspro — is designed to blend in as routine browser activity.
Organizations should enforce strict browser extension allowlisting and actively monitor for unexpected permission changes, particularly new declarativeNetRequest and webRequest permissions.
Users should regularly audit installed extensions and treat unsolicited permission update prompts as a warning sign. Extensions that change ownership should be reviewed carefully before continued use.
IoCs
TypeValueExtension IDkdenlnncndfnhkognokgfpabgkgehoddExtension NameQuickLens – Search Screen with Google LensMalicious Version5.8C2 Domainapi.extensionanalyticspro.topDeveloper Emailsupport@doodlebuggle.topPrivacy Policy Domainkowqlak.latSHA-256fa3d0c8c8e9f3dacaa9f34e42ad63dceeba16689e055b90e9a903fa274d35df0Removal Date2026-02-17
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Pixel Perfect Extension Abuse Enables Covert Script Injection and Security Header Removal appeared first on Cyber Security News.
