Find notable cyber news and cases, enriched with sources, timelines, and signals.

GhostPoster malicious browser extension campaign across Chrome, Firefox, and Edge

Campaign
First reported
Last updated
Happening score
H score 25
2 unique sources, 2 articles

Summary

Hide ▲

The GhostPoster campaign resurfaced with 17 malicious extensions in Chrome, Firefox, and Edge, putting users at risk of browser monitoring, affiliate-link hijacking, and ad/click fraud. The cluster accumulated 840,000 installations, and some extensions may still remain installed on affected browsers.

Related Happenings

Silent Swap browser-extension clipboard clipper

Malware Activity
H score36 First: 30.06.2026 18:40 Last: 30.06.2026 18:40 Sources 1

About this happening: The **Silent Swap** malware activity now **installs malicious Chromium extensions** that intercept copied wallet addresses and **reroute cryptocurrency transfers** to attacker-con...

Search for perplexity ai malicious Chrome extension

Malware Activity
H score29 First: 29.06.2026 21:40 Last: 29.06.2026 21:40 Sources 1

About this happening: A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...

StegoAd malicious Edge extension operation

Malware Activity
H score19 First: 29.06.2026 11:32 Last: 29.06.2026 11:32 Sources 1

About this happening: The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...

Dormant remote-controlled JavaScript injection path in Adblock for YouTube Chrome extension

Technical Analysis
H score23 First: 25.06.2026 17:12 Last: 25.06.2026 17:12 Sources 1

About this happening: A **Chrome extension** with **10 million+ installs** was found to carry a **dormant script-injection path**, raising the risk of **arbitrary JavaScript execution** across visited...

Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions

Threat Actor Meta
H score20 First: 15.06.2026 14:07 Last: 15.06.2026 14:07 Sources 1

About this happening: Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...

Timeline

  1. 17.01.2026 17:23 3 articles · 5mo ago

    GhostPoster browser extension disclosure and takedown

    Initial Disclosure

    GhostPoster malicious browser extensions were identified across Chrome, Firefox, and Edge stores, totaling 840,000 installations, and the cluster remained active despite exposure. The extensions hid JavaScript in logo or bundled image files, used a background script to extract hidden data marked by the delimiter >>>>, Base64-decode it, and execute staged payloads that tracked browsing activity, hijacked affiliate links, and injected invisible iframes for ad fraud and click fraud. Google, Microsoft, and Mozilla removed the newly identified listings, but users who had already installed them could still be exposed; LayerX also identified a more advanced Instagram Downloader variant that moved staging logic into the background script.

    Show sources