Back to articles

Sleeper extensions go cross-browser: how to find hidden malware in your Firefox, Chrome, and Edge add-ons

17 malicious sleeper extensions found across Firefox, Chrome, and Edge with 840K downloads. They hid malware in images for up to 5 years undetected.

Maxim Kosterin
8 min read

You picked Firefox because you care about privacy. Maybe you even avoided Chrome extensions entirely. Good instincts — but it's no longer enough. The malware authors have caught up.

Security researchers at LayerX Security recently discovered 17 malicious extensions with over 840,000 combined downloads across Firefox, Chrome, and Microsoft Edge. These aren't the typical low-effort copycats that get yanked from the store in a week. Some of these extensions sat undetected for up to five years, silently collecting browsing data while looking completely harmless.

What the GhostPoster campaign actually does

The extensions are part of a broader operation that researchers link to a threat group called DarkSpectre. This particular wave — dubbed "GhostPoster" — is the latest in a series of campaigns (the others being ShadyPanda and Zoom Stealer) that share infrastructure and techniques.

Here's what makes GhostPoster different from the malicious extensions I usually write about: it uses steganography. That's the practice of hiding data inside other files — in this case, hiding malicious JavaScript inside image files bundled with the extension.

When you install one of these extensions, it looks normal. The code files pass automated review. The images look like regular PNG logos. But at runtime, the extension reads those image files, decodes hidden payloads from the binary data, and executes them.

According to Malwarebytes, "newer variants moved beyond simple PNG icons to embedding payloads in arbitrary images inside the extension bundle, then decoding and decrypting them at runtime."

That's a significant evolution. Standard code scanners won't flag a PNG file. Antivirus tools typically ignore image assets inside extensions. The malicious code only exists in memory after decryption — it never appears as readable JavaScript in the extension package itself.

Think about what that means for the review process. Google, Mozilla, and Microsoft all scan extension code before approving it for their stores. They look at JavaScript files for suspicious patterns — calls to known malware domains, obfuscated eval statements, encoded strings. But a PNG file? That's an asset. It gets treated like any other image. The review pipeline doesn't parse image binary data looking for encrypted JavaScript payloads.

This is likely how these extensions survived store review and stayed published for years. The actual malicious behavior was invisible to both automated scanning and manual code review.

What data gets collected

Once active, these sleeper extensions collect:

  • Visited websites — your full browsing history
  • Search queries — everything you type into search engines
  • Shopping behavior — product pages, carts, purchases

They also perform affiliate link hijacking (replacing legitimate referral codes with the attacker's), ad fraud, and click fraud through invisible iframes loaded in the background.

None of this shows up in your browsing experience. The extensions continue working as advertised. There's no slowdown, no weird popups, no broken pages. The only sign something is wrong exists in the network traffic — and most people never look at that.

That's the insidious part. A traditional phishing page or a fake download — those are one-time attacks. You either fall for it or you don't. A sleeper extension is a continuous tap on your data. Every site you visit, every search you run, every product you look at — all of it flowing to an attacker's server, day after day, for months or years.

Why Firefox users should pay attention

This is the part that changes things. Until now, the DarkSpectre campaigns primarily targeted Chrome and Edge. Firefox was the safe harbor — or at least that's what people assumed.

According to security researchers, the GhostPoster campaign specifically expanded to Firefox, adapting the steganography technique to work with Firefox's extension architecture. Mozilla and Microsoft have since removed the flagged add-ons from their stores, but there's an important difference in how the browsers handle removal.

Mozilla auto-disables removed add-ons. If Mozilla flags and removes an extension, it gets deactivated on your machine automatically. That's a strong safety net.

Chrome and Edge do not. If Google or Microsoft removes an extension from their store, your already-installed copy keeps running. You have to manually uninstall it. If you don't know there's a problem, you won't.

That asymmetry matters. It means Chrome and Edge users who installed any of these 17 extensions could still be running compromised code right now, even though the store listings are gone.

And the cross-browser expansion itself is telling. DarkSpectre didn't bother with Firefox before — presumably because Chrome's market share made it a more efficient target. The fact that they invested in adapting their toolkit for Firefox suggests either that Chrome's defenses are getting harder to bypass, or that the group is scaling up its operations across all platforms. Neither interpretation is reassuring.

How to protect yourself

1. Review every extension you haven't touched in a while

The whole point of a sleeper extension is that you forget about it. Open your extension management page — chrome://extensions/, edge://extensions/, or about:addons in Firefox — and actually look at what's there. If you can't remember why you installed something, remove it. If you installed it more than a year ago and haven't thought about it since, that's a candidate for removal.

2. Check when extensions last updated

Sleeper extensions often stop receiving updates once deployed. An extension that hasn't been updated in two or more years but still has broad permissions is a red flag. Legitimate developers push updates — even if only to bump a dependency or adjust to browser API changes. Abandoned extensions are either neglected or deliberately frozen to avoid triggering review.

3. Be skeptical of small, unknown developers

The GhostPoster extensions came from developer accounts with no track record. No website, no other published extensions, no community presence. That doesn't automatically mean danger — every developer starts somewhere — but combined with broad permissions and no recent updates, it's a pattern worth acting on.

Look at the developer's profile page in the store. Does the listed website actually work? Does it match the extension's purpose? A "productivity tool" from a developer whose website is a parked domain is worth investigating further.

4. Watch for extensions that request more than they need

An extension that saves bookmarks doesn't need access to "all your data on all websites." A tab organizer doesn't need webRequest permissions. When the permissions don't match the stated purpose, something is off. The GhostPoster extensions needed broad permissions to function as data collectors, not because their advertised features required them.

5. Don't assume your browser choice protects you

Firefox is a genuinely privacy-focused browser with strong defaults. But extensions run with the permissions you grant them, regardless of the browser. A malicious extension on Firefox has the same access to your browsing data as one on Chrome. Browser choice is one layer of defense, not a complete solution.

6. Use a tool that monitors across all your browsers

Manually auditing extensions works for a handful, but if you're running extensions across Chrome, Firefox, and Edge — which many power users do — keeping track gets complicated. Extenshi's catalog lets you look up extensions by name or ID to see their security profile, including permission analysis and risk indicators. That's more reliable than guessing based on store ratings, and it works across all major browsers.

Five years is a long time to go unnoticed

That's the detail that sticks with me. Five years. Some of these extensions were collecting browsing data for half a decade before anyone flagged them.

One-time vetting at install isn't enough. Extensions change. They get acquired by new owners. They receive silent updates that add new capabilities. The extension you vetted two years ago may not be the same extension running on your machine today.

Continuous monitoring is the only approach that accounts for this reality. You need something that watches what your extensions are doing over time — not just what they said they'd do when you first clicked "Add to browser."

The GhostPoster campaign is a reminder that no browser is immune, no extension store review process is perfect, and no user is too careful to be targeted. The best defense is staying aware and checking regularly.

Look up your installed extensions across all your browsers on Extenshi's catalog — it's the fastest way to see if anything you're running has been flagged.

Scan your extensions →


This article is based on publicly available security research and news reporting. Extenshi does not independently verify all claims made by third-party researchers. References to specific companies or products reflect the findings of cited sources and do not constitute accusations of intentional wrongdoing. If you believe any information is inaccurate, please contact us at [email protected].

Sources: Malwarebytes — Firefox joins Chrome and Edge as sleeper extensions spy on users; LayerX Security Research

Related Articles