- LayerX identified 17 malicious browser extensions with over 840,000 downloads
- Extensions hijacked affiliate links, injected tracking, and facilitated ad fraud
- All extensions have been removed, but users must uninstall them manually
Security researchers from LayerX have uncovered 17 malicious extensions for Chrome, Firefox, and Edge that monitored users' internet activity and created backdoors for ongoing access. These extensions have collectively been downloaded more than 840,000 times.
This incident is part of an ongoing campaign, which LayerX links to GhostPoster, initially detected by Koi Security in December 2025.
Previously, a different set of 17 extensions was found, with a total of 50,000 downloads, performing similar malicious activities.
GhostPoster
Here is the complete list of the identified extensions:
Google Translate in Right Click
Translate Selected Text with GoogleAds Block Ultimate
Floating Player – PiP Mode
Convert Everything
Youtube Download
One Key Translate
AdBlocker
Save Image to Pinterest on Right Click
Instagram Downloader
RSS Feed
Cool Cursor
Full Page Screenshot
Amazon Price History
Color Enhancer
Translate Selected Text with Right Click
Page Screenshot Clipper
Some of these extensions have been available since 2020, exposing users to malware through official browser repositories for years. Most of these extensions first appeared in the Edge store before being made available on Chrome and Firefox.
Notably, some extensions contain malicious JavaScript code embedded in their PNG logos, which instructs the extensions to download the main payload from a remote server. To complicate detection, the attackers designed the extensions to download the payload only 10% of the time.
The main payload can perform various harmful actions, including hijacking affiliate links on major e-commerce sites, thereby stealing revenue from content creators.
Additionally, it injects Google Analytics tracking into every page visited and removes security headers from all HTTP responses.
Moreover, it can bypass CAPTCHA using three different methods and inject invisible iframes, primarily for ad fraud, click fraud, and tracking purposes. These iframes self-destruct after approximately 15 seconds.
While all extensions have been removed from their respective repositories, users are strongly advised to uninstall them from their browsers.
Via BleepingComputer