What happened
Malicious GhostPoster browser extensions were found with over 840,000 installs across Chrome, Firefox, and Edge stores. Koi Security researchers first reported 17 extensions in December 2025, noting that malicious JavaScript was hidden in logo images to monitor browser activity and deploy backdoors. LayerX researchers later identified ongoing campaigns, including an advanced variant in the “Instagram Downloader” extension that moved payload logic into the background script and used image files to evade detection. The extensions tracked browsing activity, hijacked affiliate links, and injected iframes for ad fraud and click fraud. Several extensions had persisted since 2020, showing long-term operations. While removed from Mozilla and Microsoft stores, users who installed them remain potentially at risk.
Who is affected
End users and enterprises with employees who installed the affected GhostPoster extensions are directly impacted, creating indirect exposure through compromised browser sessions and potential data exfiltration.
Why CISOs should care
Browser extensions run inside trusted user environments, often bypassing endpoint security. Large-scale abuse exposes organizations to data theft, click fraud, and indirect compromise of enterprise systems.
3 practical actions
- Audit and restrict browser extensions: Review installed extensions and enforce allowlists across enterprise-managed browsers.
- Limit extension permissions: Block unnecessary access that can enable script execution or data exfiltration.
- Monitor for abnormal browser behavior: Detect redirected traffic, injected scripts, and other indicators of malicious extension activity.