We tracked this one from the moment it was listed for sale Oct 11th, through the ownership change, to the malicious update Feb 17th. Full technical breakdown of the pixel trick, the C2 infrastructure, and the CSP stripping.
annex.security/blog/pixel-p...
A Google Lens extension that was sold gets weaponized overnight—stripping browser security headers and using a 1x1 GIF onload trick to execute C2-delivered JavaScript on every page
