Security researchers have uncovered a stealthy malware campaign dubbed GhostPoster embedded inside popular browser extensions for Chrome, Firefox, and Edge. Seventeen add-ons — replicated across multiple browser stores as 34 variants — were pulled from official marketplaces, but they remain active if already installed, meaning users need to remove them immediately.
Investigators at Koi Security and LayerX say the extensions packed a multi‑stage payload that monitored browsing, degraded web security controls, injected tracking code, and even opened a route for remote code execution. The kicker: the malicious code was hidden inside the extension’s PNG logo, a clever piece of steganography that helped the campaign fly under the radar for years.
Which Extensions Are Affected by GhostPoster
Researchers attribute the GhostPoster operation to these names (with clones across stores):
- Google Translate in Right Click
- Translate Selected Text with Google
- Ads Block Ultimate
- Floating Player – PiP Mode
- Convert Everything
- YouTube Download
- One Key Translate
- AdBlocker
- Save Image to Pinterest on Right Click
- Instagram Downloader
- RSS Feed
- Cool Cursor
- Full Page Screenshot
- Amazon Price History
- Color Enhancer
- Translate Selected Text with Right Click
- Page Screenshot Clipper
Some were widely adopted. LayerX notes that Google Translate in Right Click alone amassed more than 500,000 installs before takedown. The blend of familiar utility categories — ad blockers, translators, downloaders, and screenshot tools — made the malicious extensions easy to trust at a glance.
How GhostPoster Worked Inside Extensions
Koi Security describes GhostPoster as a modular, staged loader. The first stage concealed in the PNG asset would unpack additional scripts after installation. From there, the extension used browser APIs to watch visited URLs, intercept and alter network requests, and modify page content by inserting iframes and tracking scripts.
Researchers report several impacts: weakening site protections such as content security policies, hijacking affiliate traffic to monetize visits, persistent surveillance of browsing history, and creating hooks that could enable remote code execution. By abusing permissions common to “power-user” extensions — like “read and change all your data on all websites” — the malware blended into normal behavior profiles.
What You Should Do Now to Stay Protected
- Manually audit your extensions. In Chrome, Firefox, and Edge, open your extensions menu and remove any name from the list above. If you don’t recognize a tool or it demands sweeping permissions without a clear need, remove it.
- Clear synced copies. After uninstalling, reset your browser’s sync from your account settings so a removed extension does not silently resurface on other devices.
- Scan your system. Run a reputable endpoint security scan to check for residual scripts or changes GhostPoster may have introduced.
- Review account activity. Since the malware tracked browsing and injected code, monitor important accounts for suspicious sign-ins or unusual transactions and enable multi-factor authentication wherever possible.
Why Detection Took So Long for GhostPoster
GhostPoster’s use of steganography is unusual in the extension ecosystem. Hiding code in an image asset, then assembling the payload in multiple steps, reduces the likelihood that static analysis or automated store reviews will flag it. Its operators also leaned on generic, unbranded extension names and utility categories that users routinely search for, minimizing scrutiny.
LayerX emphasizes that the campaign leveraged common extension capabilities in uncommon ways. For example, access to modify webpages is standard for translators and ad blockers, but GhostPoster used similar privileges to rewrite pages and reroute traffic for surveillance and monetization.
Guidance for Individuals and Teams to Reduce Risk
For everyday users: restrict installs to extensions with transparent publishers, recent update histories, and large volumes of genuine reviews; scrutinize permission prompts; and periodically prune your extension list. A leaner browser is a safer browser.
For organizations: adopt an extension allowlist, enforce policy-based controls via Chrome Enterprise or similar tools, and monitor for anomalous browser behaviors such as unexpected affiliate redirects or injected iframes on trusted domains. Security teams should inventory extensions as part of asset management and consider disabling broad “read and change data on all sites” permissions unless explicitly needed.
Bottom Line on the GhostPoster Extension Campaign
GhostPoster shows that malicious actors will exploit the convenience of extensions to gain durable, lucrative footholds in the browser. If any of the 17 names above are installed, remove them now, reset sync, and run a security check. Quick cleanup today can prevent weeks of covert tracking and code injection tomorrow.
