That Chrome Extension Has 500,000 Downloads and It's Stealing Your Data

You probably have browser extensions installed right now. A password manager, maybe an ad blocker, perhaps a translation tool. They make browsing easier. But security researchers just discovered that 17 extensions across Chrome, Firefox, and Edge were doing something else entirely: stealing your data, hijacking your purchases, and weakening your browser's security defenses.

The campaign, dubbed "GhostPoster," accumulated over 840,000 installations before being removed from browser stores. The most popular extension alone, "Google Translate in Right Click," had 522,000 Chrome users who thought they were installing a simple translation tool.

They weren't.

How the Attack Worked

GhostPoster used an unusually sophisticated technique to evade detection: steganography. Instead of hiding malicious code in obvious places, the attackers embedded JavaScript directly inside the extension's icon image file.

When the extension loaded its PNG logo (standard behavior for any browser add on) it scanned the image's raw bytes for a hidden marker sequence. Everything after that marker wasn't image data. It was malware.

This approach bypassed traditional security reviews. Automated scanners checking for malicious code found nothing suspicious because the payload was hidden inside what appeared to be a normal image file.

The attackers added another layer of evasion: time delays. The malware wouldn't activate until six or more days after installation, long after any security review would have concluded. Even then, it only fetched its payload in 10% of connections, making the malicious traffic nearly invisible in network logs.

What the Extensions Actually Did

Once active, GhostPoster performed several malicious functions simultaneously:

Purchase Hijacking: When you bought something online, the extension silently replaced affiliate links with the attacker's codes. Every purchase you made could be generating commission for criminals.

Browsing Surveillance: The extensions monitored your web activity, tracking which sites you visited and what you did there.

Security Stripping: Perhaps most dangerously, the malware removed HTTP security headers like Content Security Policy and HTTP Strict Transport Security. These protections exist to prevent attacks, and the extensions deliberately disabled them, making you vulnerable to further exploitation.

Ad Fraud: Hidden iframes loaded in the background, generating fraudulent ad revenue while consuming your bandwidth and system resources.

Backdoor Access: The extensions maintained connections to command and control servers, allowing attackers to push new malicious code at any time.

The Infected Extensions

Security firm LayerX identified 17 malicious extensions. The most downloaded include:

• Google Translate in Right Click (Chrome): 522,398 installs
• Translate Selected Text with Google (Firefox): 159,645 installs
• Ads Block Ultimate: 48,078 installs
• Free VPN Forever: 16,000+ installs
• Instagram Downloader: various install counts

Some of these extensions had been live since 2020. That's five years of stealing data, hijacking purchases, and compromising browser security, all while passing browser store security checks.

Are You Affected?

Mozilla, Microsoft, and Google have removed the identified extensions from their stores. But here's the problem: removal from the store doesn't remove extensions already installed on your browser. If you downloaded one of these extensions before the takedown, it's still running.

To check your Chrome extensions:

1. Type chrome://extensions in your address bar
2. Review each installed extension
3. Look for any of the names listed above
4. Click "Remove" on anything suspicious

To check Firefox:

1. Type about:addons in your address bar
2. Click "Extensions" in the sidebar
3. Review and remove suspicious items

To check Edge:

1. Type edge://extensions in your address bar
2. Review your installed extensions

If you find a malicious extension, remove it immediately. Then take these additional steps:

• Change passwords for any accounts you accessed while the extension was active
• Check financial accounts for unauthorized transactions
• Review connected apps on services like Google, Facebook, and Amazon
• Consider running a malware scan to check for any persistence mechanisms

The Bigger Problem

GhostPoster reveals an uncomfortable truth: browser store verification isn't enough to keep you safe. These extensions passed security reviews on Chrome, Firefox, and Edge stores. Some carried "Featured" badges. Users had no reason to suspect anything was wrong.

The campaign originated on Microsoft Edge's store before expanding to Firefox and Chrome, suggesting attackers deliberately test their techniques on smaller platforms before targeting Chrome's massive user base.

Protecting Yourself Going Forward

Browser extensions have deep access to your browsing activity. A malicious extension can see every page you visit, every form you fill out, every password you type. Treat extension installation with the same caution you'd give to installing software on your computer.

Before installing any extension:

• Check when it was last updated (abandoned extensions are risky)
• Read recent reviews for reports of suspicious behavior
• Verify the developer has other legitimate extensions
• Question whether you actually need this functionality

Regularly audit your extensions:

• Remove anything you don't actively use
• Check permissions, and be suspicious of extensions requesting access to "all websites"
• Use Chrome's Task Manager (Shift+Esc) to identify extensions consuming unusual resources

The most secure extension is one you never installed. For functionality you genuinely need, stick to well known developers with long track records and active maintenance.

840,000 users learned this lesson the hard way. You don't have to be the next one.