A Google Lens extension that was sold gets weaponized overnight—stripping browser security headers and using a 1x1 GIF onload trick.

[Khushal]

Content source

https://annex.security/blog/pixel-perfect/

A Chrome extension with 7,000 users and a Google Featured badge was recently sold, weaponized, and pushed a malicious update to that executed code through a hidden pixel. Here's how it worked
The new owner added a C2 server, stripped important security headers from all pages, and used a 1x1 invisible pixel's onload handler to execute remote JavaScript in pages. The actual malicious code never appears in the extension's source files, but the code update was clear. The original extension still works perfectly. Google Lens integration, screen capture, all of it. Users would never notice anything beyond a single permission acceptance prompt. That's what makes extension supply chain attacks so dangerous.

Pixel Perfect: Sold Extension Injects Code Through Pixel

A Google Lens extension that was sold gets weaponized overnight—stripping browser security headers and using a 1x1 GIF onload trick to execute C2-delivered JavaScript on every page

annex.security

 

[Bot]

This is a good real-world example of why browser extensions are a high-risk supply-chain: an extension can be “clean” for years, gain trust (ratings/badges/users), then a new owner ships an update that keeps the visible features working while quietly adding a remote execution path.

What made this technique effective

• Ownership change + update trust: users generally trust updates more than new installs, especially when the extension already “proved itself” over time.
• Remote code loading: if an extension can fetch and run code from a server the author controls (directly or indirectly), the malicious payload doesn’t need to be fully present in the Web Store package at review time.
• Hidden execution trigger: using an invisible 1x1 pixel with an onload handler is a low-noise way to trigger logic without obvious UI changes.
• Permissions inertia: many users click through a permission prompt, and once granted, the extension can access a lot (depending on host permissions, content scripts, etc.).

Practical takeaways for users

• Keep extensions to the absolute minimum. Every extra extension is another “update channel” into your browser.
• Be strict with permissions:
  • Avoid extensions that request “Read and change all your data on all websites” unless truly necessary.
  • Prefer “On click” / “On specific sites” host access when available.
• Treat “extension updated + new permissions” as a serious event. If an extension suddenly asks for broader access than before, remove it and look for alternatives.
• Prefer reputable vendors and/or transparent projects. Open-source alone isn’t a guarantee, but it can make review and community scrutiny easier.
• For higher-risk environments (workstations handling sensitive accounts), consider using:
  • A separate browser profile for “risky” browsing vs. banking/email
  • Enterprise controls (if available) to restrict which extensions can be installed

If someone had this extension installed
I can’t confirm impact for any specific system without logs/indicators, but the safe response is:

• Remove the extension immediately.
• Restart the browser (and consider clearing browser cache/site data).
• Run an on-demand scan with a reputable AV.
• Assume session/token risk: sign out of important sites, change passwords (especially email), and enable/verify MFA.
• Review Chrome’s “Security” / “Devices” pages for your major accounts (Google/Microsoft/etc.) and revoke unknown sessions.

Sources

• 
  [] Pixel Perfect: Sold Extension Injects Code Through Pixel
  [] Chrome Extensions | Chrome for Developers
  [] Install and manage extensions - Chrome Web Store Help

 

[ForgottenSeer 123960]

Executive Summary
Confirmed facts indicate that the legitimate Chrome extension "QuickLens" was sold and subsequently weaponized in version 5.8, pushing a malicious update to approximately 7,000 existing users. The assessment is that this supply chain attack leverages extensive permissions and network traffic modification rules to strip browser security headers, enabling the execution of arbitrary JavaScript fetched from a remote C2 server within the context of any loaded webpage.

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1189
Drive-by Compromise (Browser Extension)

T1059.002
Command and Scripting Interpreter: JavaScript

T1562.001
Impair Defenses: Disable or Modify Tools (Stripping content-security-policy and x-xss-protection via declarativeNetRequest)

T1132.001
Data Encoding: Standard Encoding (Base64 data URI for 1x1 GIF)

CVE Profile
N/A [CISA KEV Status: Inactive]
(Supply chain compromise of third-party software, not a native software vulnerability).

Telemetry

Extension ID
kdenlnncndfnhkognokgfpabgkgehodd

C2 Domain
api.extensionanalyticspro.top

SHA256
28c7fd959943c6d317d14f5cdafad842695d5dde65f8744442e565a0c9f3ddc3

Constraint
The structure resembles a classic XSS filter evasion technique. The extension injects a hidden <img> element with a base64 src URI and executes the remote C2 payload via an inline event handler (img.setAttribute("onload", element)).

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Institute an explicit allowlist policy for browser extensions and review third-party software supply chain risk management.

DETECT (DE) – Monitoring & Analysis

Command
Query EDR and network telemetry for DNS requests or HTTPS traffic directed to api.extensionanalyticspro.top.

Command
Hunt for Chromium extension ID kdenlnncndfnhkognokgfpabgkgehodd in local user AppData directories.

RESPOND (RS) – Mitigation & Containment

Command
Force-remove the offending extension ID via Group Policy Objects (GPO) or MDM extension blocklists for all managed browsers.

Command
Block network traffic to api.extensionanalyticspro.top at the secure web gateway or firewall level.

RECOVER (RC) – Restoration & Trust

Command
Instruct impacted users to log out and invalidate active web sessions, as the injected JavaScript execution context may have compromised active session tokens.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Restrict standard users from installing unapproved browser extensions, specifically those that require declarativeNetRequest or webRequest permissions.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Disconnect from the internet immediately if you actively rely on QuickLens v5.8 to prevent further C2 polling.

Command
Do not log into banking/email until verified clean. Remove the extension labeled "QuickLens - Search Screen with Google Lens" from your browser immediately.

Priority 2: Identity

Command
Reset passwords/MFA using a known clean device (e.g., phone on 5G). Because the payload ran in the context of your browser pages, active session cookies or entered credentials may have been stolen.

Priority 3: Persistence

Command
Navigate to chrome://extensions/ and manually delete any extension with the ID kdenlnncndfnhkognokgfpabgkgehodd.

Hardening & References

Baseline
CIS Benchmarks for Google Chrome (Section 1.3: Extension Management).

Framework
NIST CSF 2.0 / SP 800-61r3.

Style
Review OWASP XSS Filter Evasion cheat sheets to understand the mechanics behind the hidden onload pixel trick.

Source

Pixel Perfect: Sold Extension Injects Code Through Pixel