Cyber: Quicklens Chrome Extension Steals Crypto, Shows Clickfix Attack
A Chrome extension named "QuickLens - Search Screen with Google Lens" has been removed from the Chrome Web Store after it was compromised to push malware and attempt to steal crypto from thousands of users.
QuickLens was initially published as a Chrome extension that lets users run Google Lens searches directly in their browser. The extension grew to roughly 7,000 users and, at one point, received a featured badge from Google.
However, on February 17, 2026, a new version 5.8 was released that contained malicious scripts that introduced ClickFix attacks and info-stealing functionality for those using the extension.
Security researchers at Annex first reported that the extension had recently changed ownership after being listed for sale on ExtensionHub, a marketplace where developers sell browser extensions.
Annex's analysis shows that version 5.8 requested new browser permissions, including declarativeNetRequestWithHostAccess and webRequest.
It also included a rules.json file that stripped browser security headers, such as Content-Security-Policy (CSP), X-Frame-Options, and X-XSS-Protection, from all pages and frames. These headers would have made it more difficult to run malicious scripts on websites.
The update also introduced communication with a command-and-control (C2) server at api.extensionanalyticspro[.]top. According to Annex, the extension generated a persistent UUID, fingerprinted the victim's country using Cloudflare's trace endpoint, identified the browser and OS, and then polled the C2 server every five minutes for instructions.
BleepingComputer learned about the extension this week after seeing numerous users [1, 2] reporting fake Google Update alerts on every web page they visited.
"That is appearing in every site i go, i through it could be because Chrome wasn't updated, but even after uptading it continues to appear," a user seeking help said on Reddit.
"Of course i will not run the code that it copy on my clipboard on the run box but it keeps appearing in every site, making it impossible to interact with anything."
Source: BleepingComputer
