- LayerX found 17 malicious browser extensions with 840,000+ downloads
- Extensions hijacked affiliate links, injected tracking and enabled ad fraud
- All extensions removed, but users must uninstall them manually
Security researchers LayerX have discovered 17 extensions for Chrome, Firefox and Edge browsers that monitored people’s internet activity and installed backdoors for persistent access. In total, the extensions were downloaded more than 840,000 times.
This is not a new campaign. In fact, LayerX claims that this is the continuation of GhostPoster, a campaign that was first detected by Koi Security in mid-December 2025.
At the time, investigators found another set of 17 extensions, cumulatively downloaded 50,000 times, that did the same thing – monitored behavior and installed backdoors.
GhostPosters
Here is the full list of all detected extensions:
Google Translate with right click
Translate selected text with GoogleAds Block Ultimate
Floating Player – PiP mode
Convert everything
Youtube download
One Key Translate
AdBlocker
Save image on Pinterest by right-clicking
Instagram downloader
RSS feed
Cool marker
Screenshot of the entire page
Amazon Price History
Color enhancer
Translate selected text with right click
Page Screenshot Clipper
Among this new batch are some extensions that were first uploaded in 2020, meaning people have been exposed to malware on official browser repositories for years. Edge’s store seems to be where most of these extensions first appeared, and later they extended to Chrome and Firefox as well.
Some of the extensions store malicious JavaScript code in the PNG logo. The code serves as instructions on how to download the main payload from a remote server. To make detection and attribution more difficult, the attackers made the extensions download the primary payload 10% of the time.
The main payload can do all sorts of things. First of all, it hijacks affiliate links on major e-commerce sites – and steals money directly from content creators.
It then injects Google Analytics tracking into every page the user visits and strips security headers from all HTTP responses.
Finally, it can bypass CAPTCHA using three separate mechanisms and can inject invisible iframes that are mostly used for ad fraud, click fraud and tracking. These iframes self-destruct after about 15 seconds.
Meanwhile, all extensions were removed from their respective archives, but users are still advised to remove them from their browsers.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
