The Sleeper in Your Toolbar: How a “Featured” Chrome Extension Turned Into a Full-Scale Infostealer

A once-reputable Chrome extension has been caught moonlighting as a sophisticated malware delivery vehicle. ShotBird, a tool formerly “Featured” on the Chrome Web Store for its screenshot capabilities, was recently transformed into a remote-controlled channel for stealing sensitive data and compromising user endpoints.

The transformation likely followed an ownership transfer in late 2025. Researchers first noticed something was amiss when amateurish debug logs—likely the result of AI-assisted “vibecoding”—began appearing in the browser consoles of unsuspecting users.

As the report notes, “High-noise logs exposed behavior quickly in DevTools… debugLog() wrappers and mixed-language comments suggested low-opsec, likely AI-assisted payload assembly”.

Despite the “low-opsec” development style, the underlying mechanics were dangerously effective. The malicious version of ShotBird was designed to beacon to attacker infrastructure, receive JavaScript tasks, and silently strip away browser security headers like Content-Security-Policy (CSP) to allow its malicious scripts to run unimpeded.

ShotBird didn’t just stop at browser abuse. It acted as a bridge to full system compromise through a “fake update” social engineering scheme.

Victims were pressured with urgent alerts—claiming their browser was “blocked” until updated—to either run a malicious executable or copy-paste a PowerShell command. In the observed Windows file-delivery path: “Victims were pushed to run googleupdate.exe, a fake update wrapper that carried a real Google-signed ChromeSetup.exe alongside a malicious psfx.msi stager”.

This clever use of a real Google installer helped the malware evade suspicion while the malicious stager executed in parallel.

The extension included a “grabber” task that targeted a broad range of sensitive information. According to the findings:

• Credential Theft: The malware targeted password and PIN fields.
• Financial Data: Captured inputs included card numbers, CVVs, and IBAN/BIC/SWIFT codes.
• Identity Classes: The scope extended to SSNs, tax IDs, and verification tokens.
• Host-Side Control: Reconstructed logs confirmed the malware could suppress security logging (ETW), access the Windows Credential Manager, and exfiltrate browser data.

ShotBird appears to be part of a larger trend of “ownership-transfer-as-infection-vector”. The C2 architecture and techniques used here closely match a similar campaign involving the QuickLens extension discovered earlier this year.

If you have ShotBird installed, it is critical to remove it immediately. While the extension has been pulled from the Chrome Web Store, the incident serves as a grim warning: even a 4.9-star “Featured” extension can be turned against you overnight.