InfoSecBulletin Cybersecurity for mankind
At least 17 Firefox extensions managed to evade detection by hiding malware in their icons. Thousands of users have been compromised, and these harmful add-ons remain accessible on the Firefox platform. Koi Security found 17 Firefox extensions that look safe, with no visible malicious scripts. They offer services like “free VPNs”, screenshots, live transitions, weather.”
Koi researchers found that certain extensions focused on icons, examining raw bytes, which held hidden malware loaders.
OpenAI unveils its first custom chip, Named Jalapeño
Bajaj Auto System Hit by a Ransomware Attack
Cisco Unified CM flaw CVE-2026-20230 exploited in attacks
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
“We found a hidden extraction routine. The extension wasn’t just displaying the logo. It was searching through the image data, looking for a marker that shouldn’t be there,” said the researchers.
Attackers modified the PNG icon files by adding malicious code after the image data, marked by three equal signs (“===”). While the icon looks normal to users, this method helps bypass security scans. This technique is called steganography.
The campaign includes at least 17 extensions and has over 50,000 downloads so far. The extension Free VPN Forever has the highest installations, totaling 16,000.
The malicious add-on initiates a multi-stage infection. The icon serves only as a loader for the real malware, which extracts hidden code once the extension is activated. To avoid detection, it behaves inconsistently, waiting 48 hours between server check-ins and infecting only 10% of users.
“What they actually deliver is a multi-stage malware payload that monitors everything you browse, strips away your browser’s security protections, and opens a backdoor for remote code execution,” the Koi researchers said.
The malware redirected affiliate links, stealing commissions from purchases on sites like Taobao and JD.com. It also used hidden iframes to load content from attacker servers for ad and click fraud.
“Free VPNs promise privacy, but nothing in life comes free. Again and again, they deliver surveillance instead,” the researchers warn.
Koi warns users about dangerous extensions, as most of them are still live on the Firefox Add-ons marketplace:
free-vpn-forever
screenshot-saved-easy
weather-best-forecast
crxmouse-gesture
cache-fast-site-loader
freemp3downloader
google-translate-right-clicks
google-traductor-esp
world-wide-vpn
dark-reader-for-ff
translator-gbbd
i-like-weather
google-translate-pro-extension
谷歌-翻译
libretv-watch-free-videos
ad-stop
right-click-google-translate
