31/69 Monday, January 19, 2026
A recent report by cybersecurity researchers LayerX and Koi Security has uncovered 17 malicious browser extensions on the Google Chrome Web Store, Firefox Add-ons, and Microsoft Edge Add-ons, with a combined total of more than 840,000 installations. These extensions are part of a malware operation dubbed “GhostPoster,” disguising itself as legitimate productivity tools such as translators, ad blockers, and video download utilities. Timeline analysis indicates that some of these extensions had remained active since as early as 2020.
What makes GhostPoster particularly dangerous is its use of steganography, hiding malicious code within logo images or embedded graphics to evade security detection. Once installed, the malware extracts its payload to monitor users’ browsing behavior, steal data, manipulate online shopping links for affiliate fraud, and inject invisible advertisements to generate fraudulent ad clicks. Researchers also identified a newer and more sophisticated technique in an extension named Instagram Downloader, where Base64-encoded commands are used to decode and execute attack scripts.
Although Google, Mozilla, and Microsoft have now removed these extensions from their respective stores, users who installed them prior to removal remain at risk. Users are strongly advised to check their browsers and immediately uninstall any of the following extensions if present:
- Google Translate in Right Click (over 500,000 installations)
- Translate Selected Text with Google
- Ads Block Ultimate
- Floating Player – PiP Mode
- Convert Everything
- Youtube Download
- One Key Translate
- Instagram Downloader
