GhostPoster malware infects 900K users through sneaky browser extensions
Over 840,000 cumulative installs have been reported for extensions linked to GhostPoster, which spread through 17 fake browser extensions on Chrome, Edge, and Firefox.
These extensions—posing as translation tools, ad blockers, and video downloaders—were downloaded over 840,000 times.
Some remained available in official stores for over five years before being discovered and removed by security researchers and browser vendors.
How did GhostPoster pull this off?
GhostPoster hid its malicious code inside PNG icon files using steganography (basically hiding stuff in images).
After you installed one of these shady extensions, the code would chill for two days before waking up to connect with its servers.
Once active, it hijacked your affiliate links, messed with security settings, injected tracking codes, and even solved CAPTCHAs automatically.
Why you still need to check your browser
Even though these bad extensions have been removed from app stores now, they can keep running if you haven't updated or removed them yourself.
So it's a good idea to regularly review your browser's extensions—just in case something sketchy slipped through.