GhostPoster malicious browser extension campaign across Chrome, Firefox, and Edge
Campaign
Summary
Hide ▲
Show ▼
The GhostPoster campaign resurfaced with 17 malicious extensions in Chrome, Firefox, and Edge, putting users at risk of browser monitoring, affiliate-link hijacking, and ad/click fraud. The cluster accumulated 840,000 installations, and some extensions may still remain installed on affected browsers.
Related Happenings
GlassWorm v2 cloned VS Code extension loaders
Malware Activity
First: 27.04.2026 14:23
Last: 27.04.2026 14:23
Sources 1
About this happening:
The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...
GlassWorm v2 cloned VS Code extension loaders
Malware ActivityAbout this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...
Chrome Web Store malicious extensions coordinated campaign using shared C2
Campaign
First: 14.04.2026 23:33
Last: 14.04.2026 23:33
Sources 1
About this happening:
A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
Chrome Web Store malicious extensions coordinated campaign using shared C2
CampaignAbout this happening: A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware Activity
First: 14.04.2026 11:35
Last: 14.04.2026 11:35
Sources 1
About this happening:
**108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware ActivityAbout this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
Chrome/Dawn actively exploited use-after-free flaw (CVE-2026-5281)
Vulnerability
First: 01.04.2026 13:25
Last: 01.04.2026 13:25
Sources 1
About this happening:
**Google Chrome Stable Desktop** on **Windows, macOS, and Linux** is getting an **emergency fix** for **CVE-2026-5281**, a **use-after-free** flaw in **Dawn/WebGPU**. Google says...
Chrome/Dawn actively exploited use-after-free flaw (CVE-2026-5281)
VulnerabilityAbout this happening: **Google Chrome Stable Desktop** on **Windows, macOS, and Linux** is getting an **emergency fix** for **CVE-2026-5281**, a **use-after-free** flaw in **Dawn/WebGPU**. Google says...
Google security patch release for CVE-2026-5281
Security Patch Release
First: 01.04.2026 13:25
Last: 01.04.2026 13:25
Sources 1
About this happening:
**Google** issued **emergency Chrome updates** to fix **CVE-2026-5281**, a **use-after-free** flaw in **Dawn/WebGPU** that was **exploited in the wild**, creating crash, corruptio...
Google security patch release for CVE-2026-5281
Security Patch ReleaseAbout this happening: **Google** issued **emergency Chrome updates** to fix **CVE-2026-5281**, a **use-after-free** flaw in **Dawn/WebGPU** that was **exploited in the wild**, creating crash, corruptio...
Timeline
-
17.01.2026 17:23 3 articles · 4mo ago
GhostPoster browser extension disclosure and takedown
Initial DisclosureGhostPoster malicious browser extensions were identified across Chrome, Firefox, and Edge stores, totaling 840,000 installations, and the cluster remained active despite exposure. The extensions hid JavaScript in logo or bundled image files, used a background script to extract hidden data marked by the delimiter >>>>, Base64-decode it, and execute staged payloads that tracked browsing activity, hijacked affiliate links, and injected invisible iframes for ad fraud and click fraud. Google, Microsoft, and Mozilla removed the newly identified listings, but users who had already installed them could still be exposed; LayerX also identified a more advanced Instagram Downloader variant that moved staging logic into the background script.
Show sources
- Malicious GhostPoster browser extensions found with 840,000 installs — www.bleepingcomputer.com — 17.01.2026 17:23
- Malicious GhostPoster browser extensions found with 840,000 installs — www.bleepingcomputer.com — 17.01.2026 17:23
- GhostPoster Malware Found in 17 Firefox Add-ons with 50,000+ Downloads — thehackernews.com — 17.12.2025 10:14