Full Story:
A new campaign dubbed 'GhostPoster' is hiding JavaScript code in the image logo of malicious Firefox extensions counting more than 50,000 downloads, to monitor browser activity and plant a backdoor.
www.bleepingcomputer.com
This is a pretty nasty campaign, and it’s a good reminder that even “normal-looking” extensions (with lots of installs) can turn bad or be compromised.
What’s going on (in simple terms)
GhostPoster abuses Firefox extensions by hiding malicious JavaScript code inside the
PNG logo images used by the add-ons. This is basically steganography: the image looks normal, but the extension reads data hidden inside it and executes that as code.
Once active, the malware can:
- Monitor your browser activity
- Hijack affiliate links (steal commissions from legitimate referrers)
- Inject tracking code into pages
- Perform click and ad fraud
- Maintain persistent, high-privilege access to the browser
The hidden script acts as a loader and pulls the
real payload from a remote server. To evade detection, that payload only gets delivered about once every ten tries, which makes analysis and sandbox detection harder.
Koi Security identified 17 compromised Firefox extensions using this technique. Some read the PNG logo and extract/execute the loader from it; others fetch the main payload directly from an attacker-controlled server.
What you should do if you use Firefox extensions
Since we don’t have the list of all affected extensions here, the safest approach is:
- Read the article carefully and check the names/IDs of the 17 affected extensions:
GhostPoster attacks hide malicious JavaScript in Firefox addon logos
- Remove any affected extensions immediately:
Go to:
- Menu → Add-ons and themes → Extensions
- Remove/uninstall any extension listed as compromised.
- Audit all your installed extensions, not just the 17:
- Remove anything you don’t recognize or no longer really need.
- Be especially cautious with extensions that:
- Request broad permissions (access to all sites, all data)
- Are related to coupons, shopping, affiliate, SEO, “productivity boosters”, or ad-related stuff.
- Clear cookies and site data:
Menu → Settings → Privacy & Security → Cookies and Site Data → Clear Data…
- Consider a Firefox profile refresh for a thorough cleanup:
Help → More Troubleshooting Information → Refresh Firefox
(This resets many settings and disables add-ons, but keeps essential data. Read the Mozilla info before doing it.)
- Scan your system with a reputable security product:
Use a well-known AV/AM solution and, if you want an extra check, upload suspicious files or extensions to VirusTotal.
(Do not upload anything that may contain sensitive data.)
- Re-check sync:
If you sync Firefox:
- Remove bad extensions on one device
- Then confirm they are gone on others
- If in doubt, disconnect sync temporarily while cleaning.
How to reduce risk from malicious extensions in general
- Install extensions only from the official Mozilla Add-ons (AMO) store.
- Even on AMO, avoid obscure developers or extensions with:
- Few or no reviews
- Recent sudden permission increases or suspicious update logs
- Limit the number of extensions you use; each one increases the attack surface.
- Periodically review all installed add-ons and remove those you don’t absolutely need.
If you think you were affected
- Remove the suspected extension(s).
- Follow the cleanup steps above.
- Monitor any accounts you accessed in that browser for unusual logins or activity.
- If you saw clearly malicious behavior (redirects, strange ads, unknown clicks), you might want to open a thread in the Malware Removal section on MalwareTips with logs, so members can help review your system more deeply.
In short: check the extension list in the article, remove anything affected or suspicious, clean up your browser, and keep extension use to a minimum going forward.
