A malicious campaign named GhostPoster is concealing JavaScript code within the PNG logo files of over a dozen Firefox extensions. These extensions, which have accumulated more than 50,000 downloads, use steganography to hide a loader that fetches a main payload from a remote server. The loader activates after a 48-hour delay and only attempts to retrieve the payload 10% of the time, making detection through traffic analysis more difficult.
Once deployed, the payload grants attackers high-privilege access to the browser, enabling affiliate link hijacking, Google Analytics tracking injection, and ad fraud through invisible iframes. It also strips security headers from web pages and can bypass CAPTCHA protections using three different methods. While the current malware does not directly steal passwords, its stealthy framework poses a significant privacy threat and could be used to deliver more dangerous payloads in the future.
Security researchers identified 17 compromised extensions, including popular tools for VPNs, screenshots, translation, and ad-blocking. Although Mozilla has since removed the reported extensions from its add-ons portal and updated its detection systems, users who installed any of these extensions are advised to remove them immediately and consider resetting passwords for sensitive accounts. The incident underscores the risks posed by sophisticated malware hiding within seemingly legitimate browser add-ons.
Read more...