(Credit: LayerX Security)
If you’ve been using browser extensions to download YouTube videos or images from Pinterest, translate text in real time, check Amazon price histories, or even enhance colors, you might have some uninstalling to do.
Cybersecurity firm LayerX has uncovered 17 malicious extensions that were downloaded more than 840,000 times, with some remaining active in the wild for up to five years. Instances were recorded across Firefox, Google Chrome, and Microsoft Edge.
Mozilla and Microsoft have removed all of the extensions from their official stores. However, if you’ve already installed one, you should uninstall it immediately.
The most popular malicious extension, dubbed “Google Translate in Right Click,” was downloaded more than 500,000 times across the app stores. Another, “Translate Selected Text with Google,” racked up almost 160,000 downloads.
The extensions were part of a malware campaign researchers named GhostPoster, first identified by Koi Security last month. It uses “steganography”—hidden links or code embedded inside images—to infiltrate users’ machines.
(Credit: LayerX Security )The extensions also relied on a technique known as delayed execution, meaning their malicious behavior could take weeks or even months to trigger. Once activated, the extensions were capable of stripping and injecting HTTP headers to weaken web security policies, hijacking affiliate traffic for monetization, and injecting scripts to enable click fraud and user tracking.
In addition, the extensions could perform automated CAPTCHA solving and inject additional malicious scripts, giving attackers extended control over infected browsers.
Here are the extensions identified by LayerX:
- Page Screenshot Clipper
- Full Page Screenshot
- Convert Everything
- Translate Selected Text with Google
- Youtube Download
- RSS Feed
- Ads Block Ultimate
- AdBlocker
- Color Enhancer
- Floating Player – PiP Mode
- One Key Translate
- Cool Cursor
- Google Translate in Right Click
- Translate Selected Text with Right Click
- Amazon Price History
- Save Image to Pinterest on Right Click
- Instagram Downloader
These aren’t the only extensions you need to worry about. Koi’s earlier investigation uncovered numerous other malicious browser extensions, including the popular Urban VPN Proxy, a Google Chrome extension with 8 million users that secretly collected data from conversations with AI tools like ChatGPT, Claude, and Gemini to sell to data brokers. The illicit VPN used the same strategy: hiding code within a PNG image, then redirecting the user to a website primed to inject malware.
If one of the extensions above looks familiar, check out PCMag’s guide to removing browser extensions.