Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

GhostPoster Firefox add-on malware payload with affiliate-hijacking toolkit

Malware Activity
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

The GhostPoster malware operation is abusing 17 Firefox add-ons to deliver malicious JavaScript that hijacks affiliate links and injects tracking code, exposing users to fraud and browser surveillance. The add-ons were collectively downloaded 50,000+ times, widening the reach of the payload. The same code also strips browser security protections and can open a backdoor for remote code execution. Delivery relies on external infrastructure including www.liveupdt[.]com and www.dealctr[.]com.

Related Happenings

PhantomRaven npm supply-chain campaign

Campaign
First: 11.03.2026 19:09 Last: 11.03.2026 19:09 Sources 1

About this happening: **PhantomRaven** is an active **npm supply-chain campaign** that began in **August 2025** and has grown to **126 npm libraries** with **more than 86,000 installs**. The packages h...

Open Happening

GhostPoster malicious browser extension campaign across Chrome, Firefox, and Edge

Campaign
First: 17.01.2026 17:23 Last: 17.01.2026 17:23 Sources 1

How related: A new campaign named GhostPoster has leveraged logo files associated with 17 Mozilla Firefox browser add-ons to embed malicious JavaScript code designed to hijack affiliate links, inject tracking code, and commit click and ad fraud.

About this happening: The **GhostPoster** campaign resurfaced with **17 malicious extensions** in **Chrome, Firefox, and Edge**, putting users at risk of **browser monitoring**, **affiliate-link hijack...

Open Happening

Major web skimming campaign targeting payment networks

Campaign
First: 13.01.2026 19:30 Last: 13.01.2026 19:30 Sources 1

About this happening: A **long-running Magecart web-skimming campaign** has been active since **2022** and targets checkout flows tied to **American Express, Diners Club, Discover, JCB, Mastercard, and...

Open Happening

ShadyPanda browser extension spyware activity

Malware Activity
First: 01.12.2025 19:29 Last: 01.12.2025 19:29 Sources 1

About this happening: **ShadyPanda** browser extensions now deliver **hourly remote code execution**, turning trusted add-ons into spyware across **Chrome** and **Edge** and putting **4.3 million insta...

Open Happening

ShadyPanda browser-extension campaign

Campaign
First: 01.12.2025 17:01 Last: 01.12.2025 17:01 Sources 1

About this happening: The **ShadyPanda** browser-extension campaign remains active on **Microsoft Edge Add-ons**, where it has reached **over 4.3 million installs** and is still delivering malicious co...

Open Happening

Timeline

  1. 17.12.2025 10:14 2 articles · 5mo ago

    GhostPoster discovered in 17 Firefox add-ons

    Initial Disclosure

    Koi Security identifies GhostPoster in 17 Mozilla Firefox browser add-ons that were collectively downloaded over 50,000 times, and says the add-ons hide malicious JavaScript in logo files to hijack affiliate links, inject Google Analytics tracking code, strip Content-Security-Policy and X-Frame-Options, and support click and ad fraud, CAPTCHA bypass, hidden iframe injection, and a remote-code-execution backdoor through www.liveupdt[.]com and www.dealctr[.]com.

    Show sources
    Open in new tab