- LayerX found 17 malicious browser extensions with over 840,000 downloads
- Extensions Hijacked Affiliate Links, Injected Tracking, and Enabled Ad Fraud
- All extensions removed, but users must uninstall them manually
Security researchers LayerX discovered 17 extensions for Chrome, Firefox and Edge browsers that monitored users’ Internet activity and installed backdoors for persistent access. In total, the extensions have been downloaded more than 840,000 times.
This is not a new campaign. In fact, LayerX claims that it is the sequel to GhostPoster, a campaign first discovered by Koi Security in mid-December 2025.
At the time, investigators discovered a different set of 17 extensions, downloaded a total of 50,000 times, that did the same thing: monitor behavior and install backdoors.
Ghost Poster
Here is the complete list of all discovered extensions:
Google Translate right click
Translate selected text with GoogleAds Block Ultimate
Floating Player – PiP Mode
Convert everything
YouTube Download
A translation key
Ad blocker
Save image to Pinterest with right click
Instagram downloader
RSS feed
Cool slider
Full page screenshot
Amazon Price History
Color enhancer
Translate selected text with right click
Page Screenshot Cutter
Among this new batch, some extensions were downloaded for the first time in 2020, meaning users have been exposed to malware on official browser repositories for years. The Edge store seems to be where most of these extensions first appeared, later spreading to Chrome and Firefox as well.
Some extensions store malicious JavaScript code in the PNG logo. The code serves as instructions on how to download the main payload from a remote server. To make detection and attribution more difficult, the attackers forced extensions to download the main payload 10% of the time.
The main payload can do all sorts of things. Above all, it hijacks affiliate links on major e-commerce sites, thereby stealing money directly from content creators.
Then it injects Google Analytics tracking into every page the user visits and removes security headers from all HTTP responses.
Finally, it can bypass CAPTCHA using three separate mechanisms and inject invisible iframes, mainly used for ad fraud, click fraud and tracking. These iframes self-destruct after about 15 seconds.
In the meantime, all extensions have been removed from their respective repositories, but users are still advised to remove them from their browsers.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
