A newly uncovered malware campaign known as GhostPoster has been found infecting the PNG logo files of 17 Mozilla Firefox browser extensions. The attackers embedded malicious JavaScript inside these images, enabling the malware to hijack affiliate links, inject tracking code, and ultimately take control of users’ browsers.

Researchers at Koi Security, who discovered the attack, report that the infected extensions were downloaded more than 50,000 times. According to researchers Lotan Sery and Noga Gouldman, the extensions deliver “a multi‑stage malware payload that monitors everything you browse, strips away your browser’s security protections, and opens a backdoor for remote code execution.” The first infected extension they identified was “Free VPN Forever.”

Although Mozilla has removed the compromised add‑ons from the Firefox marketplace, they remain active for anyone who may have already installed them.

How the GhostPoster Attack Works
The infection begins when a browser fetches the extension’s logo file. Hidden inside the PNG is code that extracts and executes a JavaScript loader. That loader then contacts an external server to retrieve the main payload — but only after a 48‑hour delay, a tactic designed to avoid immediate detection.

To further evade monitoring, the loader downloads only 10% of the payload per request, making the traffic appear less suspicious.

Once active, GhostPoster can silently monetize and manipulate a user’s browsing activity. It can:

  • Intercept and replace affiliate links
  • Inject tracking scripts to build user profiles
  • Load malicious sites in hidden frames
  • Bypass CAPTCHA challenges
  • Evade bot‑detection systems

This incident also highlights a recurring issue: many “free” VPNs and utilities promise privacy but instead deliver surveillance, data harvesting, or malware.

List of Infected Extensions
Koi Security identified the following compromised add‑ons:

  • Free VPN
  • Screenshot
  • Weather (weather-best-forecast)
  • Mouse Gesture (crxMouse)
  • Cache – Fast Site Loader
  • Free MP3 Downloader
  • Google Translate (google-translate-right-clicks)
  • Traductor de Google
  • Global VPN – Free Forever
  • Dark Reader Dark Mode
  • Translator – Google Bing Baidu DeepL
  • Weather (i-like-weather)
  • Google Translate (google-translate-pro-extension)
  • libertv-watch-free-videos
  • Ad Stop – Best Ad Blocker
  • Google Translate (right-click-google-translate)

Many of these extensions were marketed as ad blockers, screenshot tools, VPNs, or unofficial Google Translate utilities. The oldest, Dark Mode, dates back to October 2024.

How to Protect Yourself
If you have any of the affected extensions installed, remove them immediately. Afterward, it’s wise to reset your account passwords as a precaution.

To reduce your risk in the future:

  • Install only extensions from trusted developers
  • Limit the number of add‑ons you use
  • Review permissions carefully
  • Keep your browser and security tools updated

GhostPoster is still new, and additional infected extensions may surface. Staying selective and cautious with browser add‑ons is one of the best defenses against campaigns like this.

The Hacker News:
https://thehackernews.com/2025/12/ghostposter-malware-found-in-17-firefox.html

Tom’s Guide:
https://www.tomsguide.com/computing/online-security/multiple-firefox-add-ons-infected-with-ghostposter-malware-how-to-stay-safe

Deliver David's Tech Talk to my inbox

We'll send David's weekly Tech Talk to your inbox - including the MP3 of the actual radio spot. You'll never miss a valuable tip again!