Chrome extension ‘QuickLens’ removed after stealing crypto and spreading malware

A popular Chrome extension, QuickLens - Search Screen with Google Lens, has been removed from the Chrome Web Store after being compromised to distribute malware and attempt to steal cryptocurrency from thousands of users. The extension, which initially offered Google Lens search functionality and even received a featured badge from Google, was updated with malicious scripts that introduced ClickFix attacks and info-stealing capabilities, as reported by Bleeping Computer.

The malicious version 5.8 of QuickLens was pushed to approximately 7,000 users on February 17, 2026, after the extension changed ownership. The update requested new browser permissions and stripped security headers like Content-Security-Policy, enabling the execution of malicious JavaScript. This script communicated with a command-and-control server, fingerprinting victims and polling for instructions.

Users encountered fake Google Update alerts, leading to ClickFix attacks that downloaded a malicious executable. The malware then attempted to steal cryptocurrency wallet details, including seed phrases from popular wallets like MetaMask and Phantom, in addition to capturing login credentials and other sensitive form data. There are also claims that macOS users were targeted with info-stealing malware.

Source: Bleeping Computer