GhostPoster malware resurges via popular browser extensions with 840k installs
Researchers found 17 GhostPoster-linked extensions in Chrome, Firefox, and Edge totaling about 840,000 installs. The extensions hide malicious JavaScript in their logos to monitor browser activity, hijack affiliate links, and inject invisible iframes for ad and click fraud, pulling a heavily obfuscated payload from an external resource. LayerX reports a more advanced variant that moves the payload into the extension’s background script and stores it inside a bundled image, improving dormancy and evasion. Some extensions have been removed from Mozilla and Microsoft stores; Google has removed them from Chrome Web Store, but users who installed them may still be at risk. The campaign originated on Edge and later spread to other browsers, and the researchers say it remains active.
- Malicious GhostPoster browser extensions found with 840,000 installs BleepingComputer
- Five Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts The Hacker News
- End-point Security - Managing browser extension exploits teiss
- GhostPoster Browser Malware Hid for 5 Years With 840,000 Installs Hackread
- Threat Actors Abuse Browser Extensions to Deliver Fake Warning Messages gbhackers.com
Reading Insights
0
7
4 min
vs 5 min read
86%
844 → 119 words
Want the full story? Read the original article
Read on BleepingComputer