Chrome Extensions QuickLens and BuildMelon Hijacked via Ownership Transfer
- [01] Attackers are leveraging transferred ownership of popular Chrome extensions to inject malicious code and exfiltrate sensitive user data directly from browsers.
- [02] The primary affected systems are the QuickLens extension and other browser utilities previously maintained by the developer BuildMelon (akshayanuonline@gmail.com).
- [03] Defenders must immediately audit browser environments to identify and remove QuickLens and any related extensions associated with the BuildMelon developer.
Overview of the Extension Hijacking Campaign
A recent surge in malicious activity has been observed targeting the ecosystem of browser-based utilities through the acquisition of legitimate software. According to The Hacker News, at least two Google Chrome extensions have transitioned from benign tools to active threats following what appears to be a change in ownership. The affected extensions, previously associated with the developer BuildMelon (linked to the email akshayanuonline@gmail.com), include the popular search utility QuickLens. This incident highlights a recurring Supply Chain Attack vector where threat actors purchase established extensions to inherit an existing user base and bypass initial security vetting.
Identifying Malicious Behavior in QuickLens and BuildMelon
The weaponization of these extensions involves the deployment of malicious scripts that facilitate arbitrary code injection and the harvesting of sensitive data. Once an attacker gains control over a developer account, they can push updates that include obfuscated JavaScript. These updates allow the extension to monitor user interactions, capture form data, and communicate with a C2 infrastructure. Because the extensions already possess broad permissions to “read and change all your data on the websites you visit,” the transition to a malicious state is often transparent to the end user.
This specific TTP is effective because it subverts the trust established by the original developer. Users who have relied on QuickLens for search tasks are unlikely to scrutinize a background update, particularly when the extension’s core functionality appears unchanged while the malicious payload executes silently. Professionals seeking a QuickLens browser extension malware removal strategy should note that simply disabling the extension may not be sufficient if persistent browser modifications or cached scripts remain active.
Analysis of Chrome Extension Ownership Transfer Security Risks
The root cause of this threat lies in the ease with which extension ownership can be transferred without alerting the user base. In the current marketplace, developers are frequently approached by third-party entities offering to buy their extensions. While many of these transfers are legitimate business acquisitions, they are increasingly used by APT groups and cybercriminals to gain a foothold in target environments. When an extension changes hands, the new owner can introduce updates that leverage XSS techniques or execute RCE within the context of the browser.
From a defensive perspective, this represents a significant gap in browser security. Security teams often lack visibility into which extensions are installed across their fleet, and even fewer have the resources to audit every update pushed to those extensions. When a previously safe tool suddenly begins exhibiting suspicious IoC patterns, such as making unauthorized requests to unfamiliar domains or attempting Privilege Escalation within the browser sandbox, it is often too late to prevent data exfiltration.
How to Detect Malicious Chrome Extension Updates
To maintain a resilient security posture, organizations must implement proactive monitoring. Understanding how to detect malicious Chrome extension updates is critical for any modern SOC. Defenders should monitor for sudden changes in extension permissions or unusual network traffic originating from the browser process.
Mitigation and Remediation Strategies
Defenders should prioritize the following actions to mitigate the risk posed by hijacked extensions:
- Extension Auditing: Conduct an immediate inventory of all installed Chrome extensions. Identify any software linked to the BuildMelon developer or the QuickLens utility and remove it immediately.
- Permission Monitoring: Use EDR tools to alert on browser extensions that request excessive permissions or attempt to execute unauthorized scripts on sensitive internal domains.
- Policy Enforcement: Implement a whitelist-only policy for browser extensions via Group Policy Objects (GPO) or MDM solutions to prevent the installation of unvetted third-party tools.
- User Awareness: Educate staff on the risks of browser extensions and the potential for a Phishing or data theft campaign to originate from a tool they have used for years.
Addressing Chrome extension ownership transfer security risks requires a shift from reactive patching to proactive inventory management and permission-based restrictions. By treating every extension as a potential entry point for supply chain compromise, organizations can better protect their sensitive data from this stealthy attack vector.
Advertisement