Article Details

Malicious GhostPoster browser extensions found with 840,000 installs. Another set of 17 malicious extensions linked to the GhostPoster campaign has been discovered in Chrome, Firefox, and Edge stores, where they accumulated a total of 840,000 installations. The GhostPoster campaign was first reported by Koi Security researchers in December. They found 17 extensions that were hiding malicious JavaScript code in their logo images, which monitored browser activity and planted a backdoor. The code fetches a heavily obfuscated payload from an external resource, which tracks the victim’s browsing activity, hijacks affiliate links on major e-commerce platforms, and injects invisible iframes for ad fraud and click fraud. A new report from browser security platform LayerX indicates that the campaign is still ongoing despite being exposed, and the following 17 extensions are part of it: According to the researchers, the campaign originated on Microsoft Edge and then expanded to Firefox and Chrome. LayerX found that some of the above extensions have been present in browser add-on stores since 2020, indicating a successful long-term operation. Although evasion and post-activation capabilities remain mostly the same as previously documented by Koi, LayerX has identified a more advanced variant in the ‘Instagram Downloader’ extension. The difference consists of moving the malicious staging logic into the extension’s background script and using a bundled image file as a covert payload container rather than only an icon. At runtime, the background script scans the image’s raw bytes for a specific delimiter (>>>>), extracts and stores the hidden data in local extension storage, then later Base64-decodes and executes it as JavaScript. “This staged execution flow demonstrates a clear evolution toward longer dormancy, modularity, and resilience against both static and behavioral detection mechanisms,” comments LayerX about the newest GhostPoster variant. The researchers said that the newly identified extensions are no longer present in Mozilla's and Microsoft's add-on stores. However, users who installed them in their browsers may still be at risk. BleepingComputer has contacted Google about the extensions being present in the Chrome Web Store, and a spokesperson confirmed that all of them have been removed. The 2026 CISO Budget Benchmark It's budget season! Over 300 CISOs and security leaders have shared how they're planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026. Learn how top leaders are turning investment into measurable impact.