GhostPoster Malware Discovered in Firefox Add-ons with Over 50,000 Combined Downloads

Researchers have uncovered malicious code embedded in multiple Firefox extensions, exposing users to data theft and unwanted activity.

Security researchers have identified GhostPoster malware hidden inside 17 Firefox add-ons that together accumulated more than 50,000 downloads. The affected extensions appeared legitimate and offered common functionality, which helped them gain user trust and wide adoption. As a result, many users unknowingly installed malware directly into their browsers.

The malicious add-ons abused Firefox’s extension framework to inject unwanted scripts into users’ browsing sessions. Once installed, GhostPoster actively collected browsing data and monitored user activity. In some cases, it also redirected traffic and injected advertisements, creating both privacy and security risks.

Researchers found that the extensions requested excessive permissions during installation. These permissions allowed them to access website content, track navigation behavior, and communicate with external servers. Because many users approve permissions without review, the malware operated without raising suspicion.

GhostPoster relied on stealth rather than overtly malicious behavior. It blended its network traffic with normal browser activity and delayed certain actions to avoid detection. Consequently, traditional endpoint security tools often failed to flag the extensions as malicious.

The discovery highlights ongoing risks within browser extension ecosystems. Although official add-on stores perform security checks, attackers continue to find ways to bypass review processes. Therefore, even trusted marketplaces cannot guarantee extension safety at all times.

Security experts advise users to review installed Firefox add-ons immediately and remove any extensions they do not recognize or no longer use. Users should also pay close attention to permission requests and avoid installing extensions from unknown developers. Keeping browsers updated helps reduce exposure to known abuse techniques.

For organizations, the incident reinforces the need for browser extension controls. Enterprises should restrict extension installation and monitor browser behavior for anomalies. Without proper oversight, browser-based malware remains an effective attack vector.

Overall, the GhostPoster incident demonstrates how attackers exploit user trust in browser add-ons. Strong extension hygiene and ongoing monitoring remain essential to reduce browser-level threats.