- Koi Security uncovered 17 malicious Firefox extensions that hid backdoors and tracking code, downloaded over 50,000 times
- The extensions pulled payloads from remote servers, hijacked affiliate links, injected trackers, stripped security headers, and enabled ad‑fraud mechanisms
- Mozilla removed all affected add‑ons and updated detection systems; users should uninstall them and secure accounts
More than a dozen Firefox extensions were found to be malicious, planting backdoors and keeping track of user browsing habits, experts have warned.
This is according to security researchers from Koi Security, who named the campaign “GhostPoster”, and said that some of these extensions have a rather unique way of retrieving malicious code.
In total, these extensions were downloaded more than 50,000 times.
Hijacking affiliate links
Here is the full list of the ones found so far:
free-vpn-forever
screenshot-saved-easy
weather-best-forecast
crxmouse-gesture
cache-fast-site-loader
freemp3downloader
google-translate-right-clicks
google-traductor-esp
world-wide-vpn
dark-reader-for-ff
translator-gbbd
i-like-weather
google-translate-pro-extension
谷歌-翻译
libretv-watch-free-videos
ad-stop
right-click-google-translate
Some of these extensions actually store the malicious JavaScript code in the PNG logo. The code serves as instructions on how to download the main payload from a remote server. To make detection and attribution more difficult, the attackers made the extensions download the main payload on 10% of the time.
The main payload can do all sorts of things. First and foremost, it hijacks affiliate links on major ecommerce sites - stealing money directly from content creators.
Then, it injects Google Analytics tracking into every page the user visits, and strips security headers from all HTTP responses.
Finally, it can bypass CAPTCHA using three separate mechanisms, and can inject invisible iframes, mostly used for ad fraud, click fraud, and tracking. These iframes self-destruct after roughly 15 seconds.
While stealing money from affiliates and keeping tabs on user behavior is definitely a serious matter, researchers warned that the campaign could get even more destructive at any point, should the attackers decide to start harvesting passwords, or redirecting users to fake bank login pages and similar phishing sites.
After news broke, Mozilla investigated the report and decided to remove all of the discovered extensions from its browser store.
"Our add-ons team has investigated this report and as a result, has taken action to remove all of these extensions from AMO,” the company told BleepingComputer. “We have updated our automated systems to detect and block extensions using similar attacks now and in the future. We continue to improve our systems as new attacks appear."
If you are using any of these extensions, you should remove them immediately and secure your critical accounts.
Via BleepingComputer
➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.