- LayerX found 17 malicious browser extensions with more than 840,000 downloads
- Extensions Hijacked Affiliate Links, Injected Tracking, and Enabled Ad Fraud
- All extensions removed, but users need to uninstall them manually
LayerX security researchers have discovered 17 extensions for Chrome, Firefox and Edge browsers that monitored people’s Internet activity and installed backdoors for persistent access. In total, the extensions were downloaded more than 840,000 times.
This is not a new campaign. In fact, LayerX claims that this is the continuation of GhostPoster, a campaign first discovered by Koi Security in mid-December 2025.
Back then, researchers found a different set of 17 extensions, cumulatively downloaded 50,000 times, that did the same thing: monitor behavior and install backdoors.
GhostPoster
Here is the complete list of all discovered extensions:
Google Translate with right click
Translate selected text with GoogleAds Block Ultimate
Floating Player – PiP Mode
Convert all
Youtube Download
Translate with a single key
Ad blocker
Save image to Pinterest with right click
Instagram Downloader
RSS Feed
cool cursor
Full page screenshot
Amazon price history
Color enhancer
Translate selected text with right click
Page Screenshot Trimmer
Among this new batch are some extensions that were first uploaded in 2020, meaning people have been exposed to malware in official browser repositories for years. The Edge store appears to be where most of these extensions first appeared, and later expanded to Chrome and Firefox as well.
Some of the extensions store malicious JavaScript code in the PNG logo. The code serves as instructions on how to download the main payload from a remote server. To make detection and attribution difficult, the attackers made the extensions download the main payload 10% of the time.
The main payload can do all kinds of things. Firstly, it hijacks affiliate links on major e-commerce sites, stealing money directly from content creators.
It then injects Google Analytics tracking into each page the user visits and strips security headers from all HTTP responses.
Finally, it can bypass CAPTCHA using three separate mechanisms and can inject invisible iframes, mainly used for ad fraud, click fraud and tracking. These iframes self-destruct after approximately 15 seconds.
Meanwhile, all extensions have been removed from their respective repositories, but users are advised to remove them from their browsers.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
