How do Chrome extensions turn malicious after ownership transfer?

A new owner ships an update that looks legitimate but adds malicious code — stripping CSP headers, polling remote servers for JS to execute, or logging all keystrokes and tab URLs.

What is the Chrome extension ownership transfer attack?

Threat actors buy popular legitimate extensions on marketplaces like ExtensionHub, then push malicious updates to the existing user base within days of transfer.

How can I tell if a Chrome extension changed owners?

There is no native Chrome alert. Third-party tools like Extension Total or Spin.ai can monitor developer ID changes, but most users have no visibility.

How many users were affected by malicious browser extension supply chain attacks?

5.8 million users were directly impacted by documented malicious browser extensions in the 2024-2025 period according to security researchers.

What should enterprises do about the Chrome extension supply chain risk?

Maintain an allowlist of approved extensions, monitor developer ID changes, and use endpoint security tools that detect extension behavior anomalies.

← Back to dashboard

clawsmith.com/signal/chrome-extension-ownership-transfer-attack

⚠ IssueUnderservedLive

Chrome Extension Ownership Transfer: Trusted Extensions Sold and Weaponized for Code Injection

Cybercriminal groups purchase popular legitimate Chrome extensions then ship malicious updates: QuickLens (7K users) and ShotBird were both sold in Feb 2026 and turned malicious within weeks, stripping security headers (X-Frame-Options, CSP), injecting remote JavaScript on every page load, and fingerprinting users. 5.8M users hit by documented malicious browser extension supply chain attacks in 2024-2025. The Chrome Web Store reviews don't catch post-transfer updates.

Product Idea from this Signal

A browser extension that monitors installed extensions for ownership transfers, permission scope changes, and suspicious outbound data requests in real time

5.8k ▲

Chrome extensions are a weaponized attack surface with no end-user runtime defense. Three documented incidents expose the gap: Honey hijacked affiliate cookies for millions of users (MegaLag expose: 9.4M YouTube views, 4M Chrome users lost); Urban VPN and 7 related extensions silently intercepted 8M users ChatGPT, Claude, and Gemini conversations and sold them to a data broker via a silent update; QuickLens and ShotBird were purchased by threat actors in Feb 2026 and turned malicious within weeks, stripping CSP headers and injecting remote JS on every page load. The Chrome Web Store review system does not alert existing users when an extension changes ownership or gains new permissions post-install. No consumer-facing tool watches for these events at runtime. This extension sits inside Chrome, monitors every other installed extension for developer/publisher changes, permission manifest diffs, and anomalous outbound network requests (especially to AI conversation endpoints), and surfaces alerts before damage is done.

browser-extensionsecurityprivacychromesupply-chainai-conversationsextension-monitoring

Competitive1000 leadsView Opportunity →