A Google Lens extension that was sold gets weaponized overnight—stripping browser security headers and using a 1x1 GIF onload trick to execute C2-delivered JavaScript on every page