Ethical Hacking News
Malicious GhostPoster browser extensions have been discovered, compromising the security of millions of users worldwide. The 840,000 installs recorded across various platforms highlight a significant threat to user security. Learn more about this campaign and how it can be prevented in our detailed report.
840,000 installs of malicious GhostPoster browser extensions have been recorded across various platforms. 17 malicious extensions were identified by Koi Security researchers in December, which harbored malicious JavaScript code within their logo images. The most installed extension is Google Translate in Right Click with 522,398 installations. The malicious extensions have been present in browser add-on stores since 2020, indicating a successful long-term operation. The new variant of GhostPoster uses an advanced approach to conceal its payload, moving staging logic into the background script and using a bundled image file as a covert container. Users who installed these extensions may still be at risk despite removal from add-on stores due to evasion capabilities.
Malicious GhostPoster browser extensions have been discovered, compromising the security of millions of users worldwide. According to a recent report by LayerX, a total of 840,000 installs of these malicious extensions have been recorded across various platforms, including Chrome, Firefox, and Edge.
The GhostPoster campaign was first reported in December by Koi Security researchers, who identified 17 extensions that harbored malicious JavaScript code within their logo images. These extensions were able to monitor user activity, plant backdoors, and track browsing habits. The malicious code was concealed within the extension's branding, making it challenging for users to detect the threat.
The newly discovered extensions are linked to the same campaign and have managed to evade detection despite being exposed. Among these 17 malicious extensions, Google Translate in Right Click holds the highest number of installations at 522,398. Other extensions like Ads Block Ultimate, Floating Player – PiP Mode, and Youtube Download also pose a significant threat to user security.
LayerX has found that some of these extensions have been present in browser add-on stores since 2020, indicating a successful long-term operation. However, the researchers claim that evasion and post-activation capabilities remain mostly the same as previously documented by Koi Security.
The newly identified GhostPoster variant is particularly noteworthy, as it utilizes a more advanced approach to conceal its malicious payload. The extension moves its staging logic into the background script and uses a bundled image file as a covert payload container rather than relying on an icon alone. This staged execution flow demonstrates a clear evolution toward longer dormancy, modularity, and resilience against both static and behavioral detection mechanisms.
The impact of these malicious extensions cannot be overstated, as they can compromise user data, hijack affiliate links, inject invisible iframes for ad fraud, and track browsing activity. Users who installed these extensions may still be at risk despite their removal from the add-on stores.
In light of this recent discovery, it is essential for users to exercise caution when installing browser extensions. It is also crucial for software developers and security researchers to remain vigilant in monitoring and reporting such malicious campaigns. By staying informed and taking proactive measures, we can minimize the risk of falling prey to these malicious GhostPoster browser extensions.
Related Information:
https://www.ethicalhackingnews.com/articles/Malicious-GhostPoster-Browser-Extensions-A-Lurking-Threat-to-User-Security-ehn.shtml
https://www.bleepingcomputer.com/news/security/malicious-ghostposter-browser-extensions-found-with-840-000-installs/
Published: Sat Jan 17 20:02:56 2026 by llama3.2 3B Q4_K_M
