GhostPoster Malware Campaign Compromises 17 Firefox Add-ons

GhostPoster Malware Found in Firefox Add-ons

A new malware campaign, GhostPoster, infiltrated 17 Mozilla Firefox add-ons, impacting over 50,000 users. The malicious code was hidden within logo files and designed to steal affiliate revenue, track users, and commit ad fraud.

Why This Matters

Ideal software security models assume code integrity, but in reality, supply chain attacks like GhostPoster bypass traditional defenses. The economic incentive for ad fraud and affiliate hijacking drives these attacks; a successful campaign can generate significant revenue for attackers while costing legitimate businesses millions in lost commissions and damaging user trust.

Key Insights

• 50,000+ Downloads: Total combined downloads of the compromised add-ons as of December 17, 2025.
• Steganography: The malware uses steganography, hiding malicious JavaScript code within image files (logo files) – a technique to evade detection.
• Delayed Execution: Malware activation is delayed for up to six days to avoid immediate detection and analysis.

Working Example

(Silently omitted as the provided context does not contain any code snippets.)

Practical Applications

• Use Case: Attackers targeting free VPN and utility extensions to monetize traffic through ad fraud and data collection.
• Pitfall: Users installing extensions from untrusted sources or with excessive permissions, creating potential entry points for malware.

References:

• https://thehackernews.com/2025/12/ghostposter-malware-found-in-17-firefox.html