Malicious Chrome Extensions Hijacked: Code Injection and Data Theft Risks

In a troubling trend highlighting the fragility of the software supply chain, two previously legitimate Google Chrome extensions have been weaponized following a change in ownership. This incident serves as a stark reminder to security professionals that the tools we trust to enhance productivity can instantly turn into vectors for data exfiltration and arbitrary code execution.

The Trap: A Productivity Tool Gone Rogue

The recent alert concerns extensions originally associated with a developer known as "BuildMelon" (contact email: akshayanuonline@gmail.com). Among the affected utilities is QuickLens, a tool designed to help developers search screens. At face value, these appear to be standard, helpful utilities. However, once the ownership of these extensions was transferred to unknown actors, the narrative shifted from utility to malice.

Rather than creating malware from scratch, threat actors purchased the legitimate reputation of these extensions. By taking over the developer accounts, they gained the ability to push updates directly to the thousands—perhaps millions—of users who had already installed and trusted the software. This "bait-and-switch" tactic bypasses the initial skepticism users might have when installing a new, unknown extension.

Technical Analysis: The Mechanics of the Takeover

This attack vector is a classic example of a supply chain compromise. The attackers did not need to compromise the user's machine directly; they simply compromised the update mechanism of the Chrome Web Store listing.

Attack Vector and TTPs

1. Ownership Transfer: The original developer transfers the extension ID and rights to a malicious actor. This is a legitimate business practice (acquisitions) but poses a significant security risk when not vetted.
2. Malicious Update Payload: Once control is established, the actors push a new version of the extension. While the changelog may claim "bug fixes" or "performance improvements," the underlying code is modified.
3. Code Injection & Data Harvesting: The malicious version typically requests broad permissions (e.g., <all_urls>, storage, tabs). Using these permissions, the extension injects JavaScript into the browser's active tabs. This allows the attacker to:
   • Harvest Credentials: Capture keystrokes or read input fields on login pages.
   • Session Hijacking: Steal session cookies and tokens for authenticated services.
   • Fingerprinting: Collect detailed telemetry about the victim's environment.

Because the extension runs within the browser's user space, it often bypasses traditional network perimeter defenses, appearing as legitimate user traffic to egress filters.

Detection and Threat Hunting

Detecting these threats requires monitoring the endpoint for the installation of specific extensions and watching for behavioral anomalies. Security Operations Centers (SOCs) should implement hunting queries to identify the presence of known malicious extensions or sudden changes in extension behavior.

1. Hunt for Extension Installation (KQL)

Use this KQL query in Microsoft Sentinel or Defender 365 to hunt for the installation of extensions associated with the "BuildMelon" developer or specific IDs if known.

DeviceRegistryEvents  
| where RegistryKey contains @"Software\Google\Chrome\Extensions"  
| where RegistryValueName == "name" or RegistryValueName == "update_url"  
| project Timestamp, DeviceName, RegistryKey, RegistryValueData, InitiatingProcessAccountName  
| where RegistryValueData contains "QuickLens" or RegistryValueData contains "BuildMelon"  
| order by Timestamp desc

2. Audit Chrome Extensions via PowerShell

For organizations managing Windows endpoints, this PowerShell script audits installed extensions for all users to identify unauthorized software.

$ChromeBasePath = "$env:LOCALAPPDATA\Google\Chrome\User Data"
if (Test-Path $ChromeBasePath) {
    Get-ChildItem -Path $ChromeBasePath -Filter "Default\Extensions" -Recurse -ErrorAction SilentlyContinue | 
    ForEach-Object {
        $ExtPath = $_.FullName
        $ManifestPath = Join-Path -Path $ExtPath -ChildPath "manifest."
        if (Test-Path $ManifestPath) {
            $Manifest = Get-Content $ManifestPath -Raw | ConvertFrom-Json
            [PSCustomObject]@{
                ExtensionName = if ($Manifest.name) { $Manifest.name } else { "Unknown" }
                Version = $Manifest.version
                Path = $ExtPath
                Permissions = $Manifest.permissions -join ', '
            }
        }
    }
} else {
    Write-Host "Chrome installation not found."
}

3. Detect Suspicious Extension IDs on Linux/macOS

For Linux or macOS endpoints, you can scan the profile directories for specific extension IDs. Note: You would need to replace MALICIOUS_EXTENSION_ID with the actual CrxID once identified by threat intelligence.

#!/bin/bash
# Scan for chrome profiles
for profile in ~/.config/google-chrome/*/Extensions ~/.config/google-chrome-beta/*/Extensions; do
  if [ -d "$profile" ]; then
    echo "Scanning $profile..."
    # List all installed extension IDs
    find "$profile" -maxdepth 1 -mindepth 1 -type d -printf "%f\n" 
  fi
done

Mitigation Strategies

To protect your organization from malicious browser extensions, a proactive approach is required.

1. Enterprise Allowlisting: Google Chrome Enterprise policies allow administrators to block the installation of all extensions except those explicitly approved. Transition from a blocklist model to an allowlist model immediately.
2. Extension Audit: Conduct an immediate audit of all extensions currently installed in your environment. Remove any that are no longer in use or are not approved by IT.
3. Vendor Verification: Before installing an extension, verify the developer's reputation. Be wary of extensions that have recently changed hands, as indicated by updated developer names or emails in the "Offered by" section.
4. Behavior Monitoring: Implement Endpoint Detection and Response (EDR) solutions that monitor for browser processes (chrome.exe) spawning unexpected child processes or making unusual network connections.

Conclusion

The compromise of the "QuickLens" and associated BuildMelon extensions underscores that trust in software is dynamic, not static. A tool that is safe today may be a weapon tomorrow. Continuous monitoring and strict governance of the browser ecosystem are essential components of a mature security posture.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub