If you rely on browser extensions to translate text, download videos, or enhance shopping and media sites, it is time for a careful audit. Security researchers at LayerX have flagged 17 malicious add-ons masquerading as translators, downloaders, and utility tools, collectively installed more than 840,000 times across Chrome, Firefox, and Edge. Mozilla and Microsoft have purged the listings from their stores, but anyone who installed them will need to remove them manually.
What Researchers Uncovered About the GhostPoster Campaign
The extensions are tied to a long-running operation dubbed GhostPoster, initially profiled by Koi Security. The campaign blends subtlety with patience: payloads were concealed via steganography inside image files, and malicious features often stayed dormant for weeks before activating, a delay tactic designed to evade both store reviews and user suspicion.
- What Researchers Uncovered About the GhostPoster Campaign
- Browser Add-ons You Should Remove Immediately to Stay Safe
- Why These Browser Extensions Are So Effective at Evasion
- How to Check if Your Browser Is Affected and Clean Up
- Telltale Red Flags to Watch Before Installing Extensions
- A Broader Pattern of Malicious Browser Add-ons to Watch
Once active, the code could strip or inject HTTP headers to weaken site security policies, hijack affiliate traffic for monetization, inject scripts that enable click fraud and persistent tracking, and even auto-solve CAPTCHAs to keep malicious activity flowing. Researchers also observed the ability to load additional scripts on demand, extending control over the victim’s browser without obvious prompts.
Browser Add-ons You Should Remove Immediately to Stay Safe
The biggest lure was convenience: quick translations and one-click downloads. The most installed malicious item, “Google Translate in Right Click,” amassed more than 500,000 downloads. Another, “Translate Selected Text with Google,” drew nearly 160,000. Names like “YouTube Download,” “Instagram Downloader,” and “Save Image to Pinterest on Right Click” were built to blend into everyday workflows.
Other flagged entries include:
- One Key Translate
- Translate Selected Text with Right Click
- Ads Block Ultimate
- AdBlocker
- Amazon Price History
- Color Enhancer
- Cool Cursor
- Convert Everything
- RSS Feed
- Floating Player – PiP Mode
- Full Page Screenshot
- Page Screenshot Clipper
- YouTube Download
If any of these are on your machine, uninstall them, then restart the browser.
Why These Browser Extensions Are So Effective at Evasion
Context-menu translators and media downloaders often request broad permissions to read and change data on visited sites, access the clipboard, or intercept network requests. Those powers can be legitimate for features like translating selected text or capturing a page, but they also provide a perfect foothold for ad fraud, affiliate hijacking, and data harvesting when abused. Industry groups have warned that browser-based fraud drains billions from the digital economy each year, and the delayed-execution tactic makes forensic traces even harder to connect to a specific install event.
How to Check if Your Browser Is Affected and Clean Up
Start by reviewing your extensions list. In Chrome, open the extensions page and remove anything matching the names above or any tool you do not recognize. In Firefox, check Add-ons and themes; in Edge, open the Extensions panel. Be especially skeptical of extensions that request permission to read and change data on all sites, manipulate downloads, or alter browsing data without a clear need.
After removal, clear site data and cookies, then restart the browser. Consider resetting content settings and reviewing which sites have notification or clipboard permissions. Running a reputable endpoint protection scan can help catch leftover components. For enterprises, enforce allowlists for extensions, monitor outbound traffic for suspicious redirects, and set group policies that restrict extension installations.
Telltale Red Flags to Watch Before Installing Extensions
Imposter naming is common: extensions that borrow branding such as “with Google” or “Right Click Translate” can trick users at a glance. Check the developer’s name, publication history, and support email. Scrutinize recent reviews for mentions of pop-ups, injected ads, or unexplained redirects. If an extension’s last update is years old, or it suddenly asks for broader permissions in a new version, think twice.
Be wary of tools that promise one-click downloads from platforms that prohibit scraping. These often operate in a gray zone and are frequent targets for abuse. Favor open-source or well-audited projects with transparent code and privacy policies, and keep your extension count lean. The fewer add-ons you run, the smaller your attack surface.
A Broader Pattern of Malicious Browser Add-ons to Watch
This is not an isolated incident. Koi Security previously spotlighted the Urban VPN Proxy extension for Chrome, which counted roughly 8 million users while allegedly harvesting sensitive data, including exchanges with AI assistants, for sale to data brokers. It also leveraged hidden code inside PNG images, echoing the GhostPoster playbook.
The takeaway is simple but urgent: utility add-ons that translate, download, or “enhance” pages can be as risky as they are useful. Until browser stores consistently detect steganographic payloads and delayed execution, the best defense is a skeptical click, strict permission hygiene, and regular pruning of anything you do not absolutely need.
