Emily Long

Emily Long Freelance Writer

Experience

Emily Long is a freelance writer based in Salt Lake City.

After graduating from Duke University, she spent several years reporting on the federal workforce for Government Executive, a publication of Atlantic Media Company, in Washington, D.C. She has nearly a decade of experience as a freelancer covering tech (including issues related to security, privacy, and streaming) as well as personal finance and travel.

In addition to Lifehacker, her work has been featured on Wirecutter, Tom’s Guide, and ZDNET. Emily has also worked as a travel guide around the U.S. and as a content editor. She has a masters in social work and is a licensed therapist in Utah.

Areas of Expertise

Read Full Bio

January 22, 2026 Add as a preferred source on Google

Add as a preferred source on Google

Credit: Primakov/Shutterstock

Key Takeaways

1. Malicious browser extensions capable of tracking user activity have been found across Chrome, Firefox, and Edge.
2. The campaign, known as GhostPoster, plants malicious code in add-on logos.
3. If you have one of the 17 extensions identified, delete it ASAP.

Table of Contents

---

Another wave of malicious browser extensions capable of tracking user activity and compromising privacy have been found across Chrome, Firefox, and Edge, some of which may have been active for up to five years.

The campaign, known as GhostPoster, was identified by Koi Security in December and included 17 Firefox add-ons designed to monitor users’ browsing activity. Threat actors planted malicious JavaScript code in the extension’s PNG logo, which served as a malware loader to retrieve the main payload from a remote server. Researchers at LayerX have found an additional 17 malicious extensions across multiple browsers that have collectively been installed more than 840,000 times.

Ongoing GhostPoster malware campaign

According to the report from LayerX, GhostPoster initially targeted Microsoft Edge and then expanded to Chrome and Firefox. The malicious add-ons may have been active as early as 2020 and include the following:

Google Translate in Right Click

Translate Selected Text with Google

Ads Block Ultimate

Floating Player – PiP Mode

Convert Everything

Youtube Download

One Key Translate

AdBlocker

Save Image to Pinterest on Right Click

Instagram Downloader

RSS Feed

Cool Cursor

Full Page Screenshot

Amazon Price History

Color Enhancer

Translate Selected Text with Right Click

Page Screenshot Clipper

"Google Translate in Right Click" alone had 522,398 installs. The next most popular add-on was "Translate Selected Text with Google" with 159,645 installs. Researchers also found a more sophisticated variant of the campaign in "Instagram Downloader," which had 3,822 installs.

What do you think so far?

GhostPoster malware has built-in safeguards to prevent detection—for example, activation is delayed by 48 hours, and it only communicates with remote attack servers under certain conditions. Once installed, though, extensions that are part of GhostPoster have the ability to hijack affiliate traffic (and redirect commissions to attackers), strip and inject HTTP headers to weaken security, bypass CAPTCHA, and inject iframes and scripts for click fraud and user tracking. The only sort-of good news is that the malware doesn’t harvest credentials or engage in phishing.

While the malicious extensions are no longer available to add in Chrome, Edge, and Firefox, users who have them installed should remove them immediately, as they remain active until explicitly deleted.

Never miss a tech story Get the latest tech news, reviews, and advice from Jake and the team.