A Chrome extension named “QuickLens – Search Screen with Google Lens” has been removed from the Chrome Web Store after it was compromised to push malware and attempt to steal crypto from thousands of users.

QuickLens was initially published as a Chrome extension that lets users run Google Lens searches directly in their browser. The extension grew to roughly 7,000 users and, at one point, received a featured badge from Google.

However, on February 17, 2026, a new version 5.8 was released that contained malicious scripts that introduced ClickFix attacks and info-stealing functionality for those using the extension.

The malicious QuickLens extension

Security researchers at Annex first reported that the extension had recently changed ownership after being listed for sale on ExtensionHub, a marketplace where developers sell browser extensions.

Annex says that on February 1, 2026, the owner changed to support@doodlebuggle.top under “LLC Quick Lens,” with a new privacy policy hosted on a barely functional domain. Just over two weeks later, the malicious update was pushed to users.

Annex’s analysis shows that version 5.8 requested new browser permissions, including declarativeNetRequestWithHostAccess and webRequest.

It also included a rules.json file that stripped browser security headers, such as  Content-Security-Policy (CSP), X-Frame-Options, and X-XSS-Protection, from all pages and frames. These headers would have made it more difficult to run malicious scripts on websites.

The update also introduced communication with a command-and-control (C2) server at api.extensionanalyticspro[.]top. According to Annex, the extension generated a persistent UUID, fingerprinted the victim’s country using Cloudflare’s trace endpoint, identified the browser and OS, and then polled the C2 server every five minutes for instructions.

BleepingComputer learned about the extension this week after seeing numerous users [1, 2] reporting fake Google Update alerts on every web page they visited.

“That is appearing in every site i go, i through it could be because Chrome wasn’t updated, but even after uptading it continues to appear,” a user seeking help said on Reddit.

“Of course i will not run the code that it copy on my clipboard on the run box but it keeps appearing in every site, making it impossible to interact with anything.”

BleepingComputer’s analysis of the extension showed it connected to a C2 server at https://api.extensionanalyticspro[.]top/extensions/callback?uuid=[uuid]&extension=kdenlnncndfnhkognokgfpabgkgehoddto, where it received an array of malicious JavaScript scripts.

These payloads were then executed on every page load using a technique that Annex described as a “1×1 GIF pixel onload trick.”

Because the extension stripped CSP headers on all visited sites, this inline JavaScript execution worked even on sites that would normally block it.

The first payload contacts google-update[.]icu, where it receives an additional payload that displays a fake Google Update prompt. Clicking the update button would display a ClickFix attack, prompting users to perform a verification by running code on their computers.

For Windows users, this led to the download of a malicious executable named “googleupdate.exe” [VirusTotal] that was signed with a certificate from “Hubei Da’e Zhidao Food Technology Co., Ltd.”

Upon execution, the malware launched a hidden PowerShell command that spawned a second PowerShell instance to connect to drivers[.]solutions/META-INF/xuoa.sys using a custom “Katzilla” user agent.

The response was piped into Invoke-Expression for execution. However, by the time BleepingComputer analyzed the payloads, the second-stage URL was no longer serving any malicious content.

Another malicious JavaScript “agent” delivered by the https://api.extensionanalyticspro[.]top C2 was used to steal cryptocurrency wallets and credentials.

The extension would detect if MetaMask, Phantom, Coinbase Wallet, Trust Wallet, Solflare, Backpack, Brave Wallet, Exodus, Binance Chain Wallet, WalletConnect, and the Argon crypto wallets were installed. If so, it would attempt to steal activity and seed phrases, which would be used to hijack wallets and steal their assets.

Another script captured login credentials, payment information, and other sensitive form data.

Additional payloads were used to scrape Gmail inbox contents, extract Facebook Business Manager advertising account data, and collect YouTube channel information.

A review of the now-removed Chrome extension page claims that macOS users were targeted with the AMOS (Atomic Stealer) infostealer. BleepingComputer has not been able to independently verify if these claims are true.

Google has since removed QuickLens from the Chrome Web Store, and Chrome now automatically disables it for affected users.

Users who installed QuickLens – Search Screen with Google Lens should ensure the extension is fully removed, scan their device for malware, and reset passwords for any credentials stored in the browser.

If you use any of the mentioned cryptocurrency wallets, you should transfer your funds to a new wallet.

This extension is not the first to be used in ClickFix attacks. Last month, Huntress discovered a browser extension that intentionally crashed browsers and then displayed fake fixes that installed the ModeloRAT malware.

Modern IT infrastructure moves faster than manual workflows can handle.

In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.

Advertisement

Get the guide

Residents across Tehran and other Iranian cities were jolted awake by sounds of loud explosions in the early hours of Saturday morning, as Israel and the US launched joint attacks on Iran.

The attacks, which the US and Israel are calling “preemptive strikes,” come after a period of failed negotiations between the countries, and on the heels of mass protests in Iran earlier this year that saw the death of at least 3,117 civilians, according to government statistics.

Shortly after the first set of explosions, Iranians received bursts of notifications on their phones. They came not from the government advising caution, but from an apparently hacked prayer-timing app called ‘BadeSaba Calendar’ that has been downloaded more than 5 million times from the Google Play Store.

The messages arrived in quick succession over a period of 30 minutes, starting with the phrase ‘Help Has Arrived’ at 9:52 am Tehran time, shortly after the first set of explosions. No party has claimed responsibility for the hacks.

Screenshots shared with WIRED Middle East show messages urging Iranian military personnel to surrender their weapons with the promise of amnesty. They also urged army personnel to join “the forces of liberation” and to “defend your brothers.”

The push notifications are all titled “Help is on the way”, and call on Iranian military members to surrender.

Screenshot: WIRED Middle East

“The time for revenge has come,” one notification received at 10:02 am read (translated from Farsi). “The regime’s repressive forces will pay for their cruel and merciless actions against the innocent people of Iran. Anyone who joins in defending and protecting the Iranian nation will be granted amnesty and forgiveness.”

“For the freedom of our Iranian brothers and sisters, this is a call to all oppressive forces—lay down your weapons or join the forces of liberation. Only in this way can you save your lives. For a free Iran,” another message sent at 10:14 am read.

Cybersecurity analysts confirmed that BadeSabah users had received notifications around the time of the strikes, but have not been able to identify the source of the hack. “At this point, we genuinely do not know who is behind them, whether it was Israel or other anti-government Iranian groups,” says Narges Keshavarznia, digital rights researcher at the Miaan Group, adding that no hacker group has claimed credit.

“Attribution in cases like this is always complex, and it’s still too early to draw conclusions.”

​​Morey Haber, the chief security advisor at BeyondTrust, however, pointed out that a cyber operation of this nature would almost certainly have been planned in advance.

“The compromise of assets [likely] happened some time ago, and these messages of ‘help’ were timed” strategically, he claims. “This is not a smash-and-grab style of attack. It is nation-state versus nation-state and is being executed with intent and precision.”

Iran on Saturday launched retaliatory kinetic attacks targeting key military bases across the Middle East. Explosions were reported in Bahrain, Kuwait, the UAE, and Qatar on Saturday, including multiple missiles that were intercepted.

Digital Blackout, Cyber Warfare

As the war unfolds, the Iranian public has already faced internet blackouts and weeks of severely reduced connectivity. “The country has been experiencing a widespread internet disruption, and access to the internet has significantly decreased in several parts of the country, including Tehran,” Keshavarznia says.

According to internet monitoring tool NetBlocks, overall network traffic has dropped to 4 percent. Data from ArvanCloud’s Radar monitoring system, an Iranian-operated cloud service, indicates that many of the country’s main data centers and domestic PoP sites have either lost connectivity to the international internet or are experiencing severe disruption, Keshavarznia pointed out.

Communication networks are also down with outages in phone lines and SMS services, and severe degradation of both mobile data and fixed broadband connections. “Incoming international calls to Iran are also reportedly affected. Even using VPNs has become extremely difficult,” she says.

from the surveillance-streisand dept

If you run a company whose entire value proposition is the ability to see patterns, predict outcomes, and connect dots that others miss, you’d think someone in the building might have flagged that suing a small independent magazine over unflattering-but-accurate reporting would only guarantee that millions more people read it.

And yet, here we are.

Palantir Technologies, the infamous surveillance and data analytics giant chaired by Peter Thiel, has filed a lawsuit against Republik, a small Swiss online magazine, over a pair of investigative articles published in December. The articles, produced in collaboration with the investigative collective WAV, detailed a years-long, multi-ministry charm offensive by Palantir to sell its software to Swiss federal authorities. The campaign was, by all accounts, a comprehensive failure. Swiss agencies rejected Palantir at least nine times, with concerns ranging from data sovereignty to reputational risk to the simple fact that nobody needed the product.

The reporting was based on documents obtained through 59 freedom of information requests filed with Swiss federal agencies. The key finding was an internal Swiss Armed Forces report that concluded Palantir’s software posed unacceptable risks because sensitive military data could potentially be accessed by U.S. government intelligence agencies. As the Republik article details:

The authors of the report state that using Palantir’s software would increase dependence on a U.S. provider. It also poses the risk of losing data sovereignty and thereby national sovereignty.

Above all, however, the army’s staff experts say it remains unclear who has access to data shared with Palantir. The following sentence from the Swiss Army report is particularly relevant: “Palantir is a U.S.-based company, which means there is a possibility that sensitive data could be accessed by the US government and intelligence services.”

As if it’s any sort of surprise that European governments are wary of betting on US tech companies with close ties to the US government. It’s not like reports of US spies co-opting US tech companies for surveillance efforts haven’t been front page news over the past twenty years. And now, this administration—with its willingness to antagonize everyone in Europe, and its close ties to Palantir and Thiel? It’s no freaking wonder that the Swiss government was like “yo, maybe pass.”

So how does a sophisticated data intelligence company respond to well-sourced investigative journalism based on official government documents?

By suing the journalists, of course.

But here’s the thing that makes this even more absurd: Palantir isn’t even claiming the articles are false. The company isn’t suing for defamation. It isn’t seeking damages. Instead, it’s invoking a Swiss “right of reply” statute, alleging that Republik didn’t give the company a sufficient opportunity to respond. Palantir wants the court to force the magazine to publish lengthy counter-statements to each article.

According to the FT:

Palantir’s lawsuit, filed in January, is not seeking damages or making libel claims against Republik, but instead alleges that the company was not given sufficient right to reply under Swiss media law. The company objects to Republik’s presentation of the public documents and believes its right to reply has been wrongfully denied.

….

Republik’s managing director Katharina Hemmer said Palantir had wanted the magazine to publish a very lengthy counterstatement to each article. Republik believed the proposed statements did not fairly address or rebut the reporting, she said, adding that the magazine stands by its reporting.

Advertisement

To which I say: good. Because Palantir’s demand here is absurd. Oh boo-fucking-hoo, the big defense contractor didn’t like the coverage? Pull on your big boy pants and get over it. Switzerland’s right of reply law exists so people can correct factual errors, not so corporations can force publications to run PR copy because they didn’t like the tone of accurate, document-based reporting.

And it’s worth noting: Palantir has already used other avenues to respond. The company published a blog post complaining that the Republik article “paints a false and misleading picture” and “hinders important discussions about the modernization of European software.” They’ve got the platform. If Palantir wants to push back on the story, they have many methods of doing so. Hell, they can do so on X any time they want—on what Musk and company like to call the global town square for free speech.

But that’s apparently not enough. Instead, a multibillion-dollar American defense and intelligence contractor is hauling a small independent Swiss magazine into court, not because anything the magazine published was wrong, but because Palantir wants to force the publication to run its talking points under legal compulsion.

Compelled speech isn’t free speech, guys. And this is nothing more than a blatant intimidation campaign to frighten away reporters from reporting the truth about Palantir.

The European Federation of Journalists has called this exactly what it is: a SLAPP suit—a strategic lawsuit against public participation, designed to use the weight and cost of litigation to intimidate and punish journalists for doing their jobs.

“The investigation conducted by WAV and Republik into Palantir is largely based on official documents that journalists were able to access thanks to Swiss freedom of information law,” notes EFJ President Maja Sever. “The legal action brought by this powerful multinational firm against a small Swiss media start-up is, in our view, an attempt at intimidation aimed at discouraging any critical analysis of Palantir’s activities.”

And in case you didn’t catch the irony: the Swiss military rejected Palantir in part because of fears about a heavy-handed American entity with uncomfortably close ties to U.S. intelligence. Palantir’s response to the reporting of that rejection? Behave like a heavy-handed American entity trying to bully a small foreign publication into submission. If anyone at Palantir had run this decision through their own pattern-recognition software, you’d hope a few red flags would have popped up.

Meanwhile, the lawsuit has done exactly what anyone with a passing familiarity with the Streisand Effect could have predicted. The original Republik articles were about the Swiss government politely but firmly declining Palantir’s advances—an embarrassing but relatively contained story.

Now, thanks to the lawsuit, the story has gone international. The Financial Times is covering it. The European Federation of Journalists is covering it. A UK member of parliament has already cited the Republik investigation during a debate on British defense contracts with Palantir, using the story to suggest that the British government “pivot away” from Palantir.

The Republik investigation itself is genuinely worth reading, and not just because Palantir desperately doesn’t want you to.

It paints a picture of a company that spent seven years working every angle to get Swiss federal agencies to buy its products—approaching the Federal Chancellery during COVID, pitching the Federal Office of Public Health on contact tracing, presenting anti-money laundering software to financial regulators, making repeated runs at the military—and getting turned away at every door. Sometimes embarrassingly, such as the Federal Statistical Office director apparently just ignoring Palantir’s outreach entirely.

For a company that brags about its ability to “optimize the kill chain” and whose CEO once told investors that “Palantir is here to disrupt… and, when it’s necessary, to scare our enemies and occasionally kill them,” getting politely rejected by the Swiss statistical office has to sting a little.

But suing the journalists who reported on it? When the entire basis of your lawsuit is “we want you to publish our talking points” rather than “anything you published was wrong,” it makes pretty clear you don’t actually have a substantive response to the reporting. If Palantir thinks the picture is false, the remedy is to demonstrate that the documents are wrong—not to drag a small magazine through expensive litigation until it capitulates or goes broke.

Seriously, how fucking fragile are the egos in the Palantir executive suite that they can’t handle a bit of mildly embarrassing reporting? Grow up.

A Zurich court is expected to rule on the case in March. Whatever the outcome, Palantir has already lost the only contest that matters: the one for public perception. For a company that sells the ability to see around corners, they apparently never thought to search “The Streisand Effect.”

Filed Under: chilling effects, free speech, journalism, right to reply, swiss government, switzerland

Companies: palantir, republik

“This is just not the right pathway forward,” Isaacman said.

A senior NASA official, speaking on background to Ars, noted that the space agency has experienced hydrogen and helium leaks during both the Artemis I and Artemis II prelaunch preparations, and these problems have led to monthslong delays in launch.

“If I recall, the timing between Apollo 7 and 8 was nine weeks,” the official said. “Launching SLS every three and a half years or so is not a recipe for success. Certainly, making each one of them a work of art with some major configuration change is also not helpful in the process, and we’re clearly seeing the results of it, right?”

The goal therefore is to standardize the SLS rocket into a single configuration in order to make the rocket as reliable as possible, and launching as frequently as every 10 months. NASA will fly the SLS vehicle until there are commercial alternatives to launch crews to the moon, perhaps through Artemis V as Congress has mandated, or perhaps even a little longer.

Is Everyone on Board?

The NASA official said all of the agency’s key contractors are on board with the change, and senior leaders in Congress have been briefed on the proposed changes.

The biggest opposition to these proposals would seemingly come from Boeing, which is the prime contractor for the Exploration Upper Stage, a contract worth billions of dollars to develop a more powerful rocket that was due to launch for the first time later this decade. However, in a NASA news release, Boeing appeared to offer at least some support for the revised plans.

“Boeing is a proud partner to the Artemis mission and our team is honored to contribute to NASA’s vision for American space leadership,” said Steve Parker, Boeing Defense, Space & Security president and CEO, in the news release. “The SLS core stage remains the world’s most powerful rocket stage, and the only one that can carry American astronauts directly to the moon and beyond in a single launch. As NASA lays out an accelerated launch schedule, our workforce and supply chain are prepared to meet the increased production needs.”

Solid Reasons for Changing Artemis III

NASA’s new approach to Artemis reflects a return to the philosophy of the Apollo program. During the late 1960s, the space agency flew a series of preparatory crewed missions before the Apollo 11 lunar landing. These included Apollo 7 (a low-Earth-orbit test of the Apollo spacecraft), Apollo 8 (a lunar orbiting mission), Apollo 9 (a low-Earth-orbit rendezvous with the lunar lander), and Apollo 10 (a test of the lunar lander descending to the moon, without touching down).

With its previous Artemis template, NASA skipped the steps taken by Apollo 7, 9, and 10. In the view of many industry officials, this leap from Artemis II—a crewed lunar flyby of the moon testing only the SLS rocket and Orion spacecraft—to Artemis III and a full-on lunar landing was enormous and risky.

The Artemis II crew rehearse a walkout from the Neil A. Armstrong Operations and Checkout Building at NASA’s Kennedy Space Center.Photograph: Joe Raedle/Getty Images