Recently, cybersecurity researchers uncovered 17 malicious extensions that had infiltrated popular browsers. These are not just minor annoyances; the threats are real, lurking for your personal data and sensitive account access. Let’s delve deeper.
Threats Spreading in Official Repositories
This discovery, made by LayerX, is not an isolated incident. It is a continuation of a malicious campaign previously identified as GhostPoster, which has been active since mid-December 2025. Imagine, these extensions, with a total of 50,000 downloads, had been hiding in official browser repositories for years. Most first appeared on Microsoft Edge before eventually spreading to Chrome and Firefox.
Clever Modus Operandi of the Attackers
How did they hide their malicious code? The attackers used very cunning techniques. One method was to store malicious JavaScript code within the extension’s logo file itself. This code acted as initial instructions to download the main payload from a remote server. To avoid detection, they limited these downloads to only 10% of execution time, making them extremely difficult to track.
What Can the Malicious Payload Do?
Once the main payload is successfully downloaded, the impact can be devastating:
- Stealing Affiliate Commissions: They infiltrated affiliate links on major e-commerce sites, pocketing financial benefits that should rightfully go to content creators.
- Tracker Insertion: Every webpage you visit will have Google Analytics trackers inserted, spying on your activity without permission.
- Deletion of Security Headers: Important security headers from all HTTP responses will be deleted, making your connections more vulnerable.
- Bypassing CAPTCHAs: With three different mechanisms, they could bypass CAPTCHA systems, opening the door for suspicious automated activities.
- Hidden iframes for Fraud: Inserting invisible iframes used for ad fraud, fake clicks, and deep tracking. Interestingly, these iframes are designed to self-destruct after about 15 seconds, making forensic analysis a nightmare.
Extensions to Watch Out For
Although they have now been removed from extension stores, it’s important to know the names involved so you can be more vigilant in the future:
- Google Translate in Right Click
- Translate Selected Text with Google
- Ads Block Ultimate
- Floating Player – PiP Mode
- Convert Everything
- Youtube Download
- One Key Translate
- AdBlocker
- Save Image to Pinterest on Right Click
- Instagram Downloader
- RSS Feed
- Cool Cursor
- Full Page Screenshot
- Amazon Price History
- Color Enhancer
- Translate Selected Text with Right Click
- Page Screenshot Clipper
Concrete Steps for Self-Protection
LayerX has reported these findings, and browsers have moved quickly to remove these extensions. However, as a smart user, you are still obligated to take preventive measures:
- Audit Your Extensions: Immediately check the list of extensions installed on your browser (Chrome, Firefox, Edge, etc.). Remove any extensions you don’t recognize or no longer need, especially those on the list above.
- Read Extension Permissions Carefully: Before installing a new extension, pay attention to the permissions it requests. If a translation extension asks for access to all data on the websites you visit, that’s a major red flag.
- Download from Trusted Sources: Always download extensions directly from your browser’s official extension store. Avoid downloading from unverified third-party sites.
- Update Your Browser and Security Software: Ensure your browser and operating system are always updated to the latest versions. These often include important security patches.
- Be Wary of Scams: If you notice any strange behavior on websites, such as unusual pop-ups or unwanted redirects, investigate immediately.
Digital security is a shared responsibility. With awareness and proper precautions, we can minimize risks and keep our online experience safe and productive.
