If you’ve been using browser extensions to download YouTube videos or images from Pinterest, translate text in real time, check Amazon price histories, or even enhance colors, you might have some uninstalling to do.
Cybersecurity firm LayerX has uncovered 17 malicious extensions that were downloaded more than 840,000 times, with some remaining active in the wild for up to five years. Instances were recorded across Firefox, Google Chrome, and Microsoft Edge.
Mozilla and Microsoft have removed all of the extensions from their official stores. However, if you’ve already installed one, you should uninstall it immediately.
The most popular malicious extension, dubbed “Google Translate in Right Click,” was downloaded more than 500,000 times across the app stores. Another, “Translate Selected Text with Google,” racked up almost 160,000 downloads.
The extensions were part of a malware campaign researchers named GhostPoster, first identified by Koi Security last month. It uses “steganography”—hidden links or code embedded inside images—to infiltrate users’ machines.
(Credit: LayerX Security )
The extensions also relied on a technique known as delayed execution, meaning their malicious behavior could take weeks or even months to trigger. Once activated, the extensions were capable of stripping and injecting HTTP headers to weaken web security policies, hijacking affiliate traffic for monetization, and injecting scripts to enable click fraud and user tracking.
In addition, the extensions could perform automated CAPTCHA solving and inject additional malicious scripts, giving attackers extended control over infected browsers.
Recommended by Our Editors
Here are the extensions identified by LayerX:
-
Page Screenshot Clipper
-
Full Page Screenshot
-
Convert Everything
-
Translate Selected Text with Google
-
Youtube Download
-
RSS Feed
-
Ads Block Ultimate
-
AdBlocker
-
Color Enhancer
-
Floating Player – PiP Mode
-
One Key Translate
-
Cool Cursor
-
Google Translate in Right Click
-
Translate Selected Text with Right Click
-
Amazon Price History
-
Save Image to Pinterest on Right Click
-
Instagram Downloader
These aren’t the only extensions you need to worry about. Koi’s earlier investigation uncovered numerous other malicious browser extensions, including the popular Urban VPN Proxy, a Google Chrome extension with 8 million users that secretly collected data from conversations with AI tools like ChatGPT, Claude, and Gemini to sell to data brokers. The illicit VPN used the same strategy: hiding code within a PNG image, then redirecting the user to a website primed to inject malware.
If one of the extensions above looks familiar, check out PCMag’s guide to removing browser extensions.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy
Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
About Our Expert
Experience
I’m a reporter covering weekend news. Before joining PCMag in 2024, I picked up bylines in BBC News, The Guardian, The Times of London, The Daily Beast, Vice, Slate, Fast Company, The Evening Standard, The i, TechRadar, and Decrypt Media.
I’ve been a PC gamer since you had to install games from multiple CD-ROMs by hand. As a reporter, I’m passionate about the intersection of tech and human lives. I’ve covered everything from crypto scandals to the art world, as well as conspiracy theories, UK politics, and Russia and foreign affairs.
Read Full Bio
&w=1024&resize=1024,1024&ssl=1 "Crítica: Tremembé provoca debates importantes, mas tem que tomar cuidado com a romantização")
&w=1024&resize=1024,1024&ssl=1 "Dupla Hipótese bet365: O que É e Como Usar nas Apostas")
