Tech

Ghost Poster Malware: How Browser Extensions Infected Nearly a Million Users

Jan 21st 2026

AI-generated, human-reviewed.

The Ghost Poster malware campaign, which secretly embedded malicious code inside browser extensions, infected nearly 900,000 users across Chrome, Firefox, and Edge over the past five years. Security Now explained how this attack worked, what it means for your privacy, and why browser add-ons can be a serious hidden threat.

How the Ghost Poster Malware Infected Users

On Security Now, Leo Laporte and Steve Gibson discussed recent research revealing the extent of the Ghost Poster attack. Cybersecurity researchers at Koi Security and Layer X found that extensions marketed as popular utilities—like "Instagram Downloader" or free VPNs—actually contained hidden malware.

The attack worked by hiding (using a method called "steganography") encrypted JavaScript malware code inside supposedly harmless PNG icon files that ship with the browser extension. When a user installed the extension, the extension itself could extract, decode, and run the hidden code.

This code would stay dormant for days—helping it evade automated security scans—before contacting a command-and-control server to download fresh malicious payloads. These payloads could then hijack your web traffic, strip security headers from connections, inject scam ads or fraudulent redirects, harvest your browsing data, and more.

Why the Attack Was So Effective—and Overlooked

According to Security Now, the campaign's longevity and reach was alarming. The malicious extensions sat undetected in official Chrome, Firefox, and Edge stores for up to five years, with some achieving over half a million downloads. Even after removal from stores, already-downloaded extensions could still run in browsers, continuing malicious activities until a user manually uninstalled them.

The extensions cleverly delayed activating their malware—sometimes by five days or longer—frustrating researchers and making automated scans less likely to catch them. By bundling with seemingly useful, innocuous add-ons, attackers lured users who weren't expecting any risk.

What This Means for Your Online Security

The Ghost Poster campaign highlights how browser extensions, while useful, can be a major weak point in personal security. Unlike websites, extensions can have extensive access to everything in your browser—what you type, what you click, even your passwords.

On today's Security Now, the hosts emphasized that attackers are now skilled at packaging their malware in convincing, seemingly legitimate extensions, complete with fake reviews and proper branding. The line between legitimate and malicious add-ons is less clear than ever.

Perhaps most concerning: even removal by browser companies doesn't fully protect you. Malicious extensions already on your computer keep working until you take direct action.

How to Protect Yourself from Malicious Extensions

  • Install as few browser extensions as possible. Only add tools you truly need and recognize.
  • Stick to well-known, reputable publishers. Extensions from obscure sources or with suspiciously generic names are high-risk.
  • Regularly review and remove unnecessary extensions. In Chrome, Firefox, and Edge, check your Extensions/Add-ons menu and prune unfamiliar items.
  • Be skeptical of "free VPNs" and download helpers. Useful-sounding, free utilities are commonly abused by attackers.
  • Update your browsers and extensions frequently. Security improvements are ongoing, and updates may block or remove dangerous add-ons.
  • Look for suspicious behavior. If you notice unexpected redirects, changes in search engines, or new ads, inspect your installed extensions first.

Key Takeaways

  • Ghost Poster malware infected almost 900,000 users since 2020 via Chrome, Edge, and Firefox extensions.
  • Malicious code was hidden ("steganography") inside PNG icon files, evading security review.
  • Extensions often impersonated popular utilities such as translation tools, download helpers, or VPNs.
  • Malware remained dormant for days to avoid detection, then performed a range of attacks from fraud to spyware.
  • Removal from app stores does not automatically protect users—manual review and uninstallation is necessary.
  • The safest policy: only install necessary extensions, stick to reputable sources, and audit regularly.

The Bottom Line

On Security Now, Leo Laporte and Steve Gibson made it clear: browser extensions can be as big a threat as any software you install. The Ghost Poster campaign shows that even official browser stores aren't immune to sophisticated, long-term malware attacks. Your best defense is to minimize the number of extensions you use, vet their sources, and regularly clean out your browser.

Want more expert analysis and actionable security news each week? Listen and subscribe to Security Now: https://twit.tv/shows/security-now/episodes/1061

RAM Crisis Hits Firewalls Security Now #1061
Jan 20 2026 - More GhostPosting
RAM Crisis Hits Firewalls
All Tech posts