Firefox joins Chrome and Edge in the problem of dormant extensions that spy on users  malwarebytes.com

The Malwarebytes blog warns of a new wave of compromised browser extensions. The technique used, called steganography, is ingenious:

The use of malicious code in images is a technique called steganography. Earlier GhostPoster extensions hid JavaScript loader code inside PNG icons such as logo.png for Firefox extensions like “Free VPN Forever,” using a marker (for example, three equals signs) in the raw bytes to separate image data from payload.

Newer variants moved to embedding payloads in arbitrary images inside the extension bundle, then decoding and decrypting them at runtime. This makes the malicious code much harder for researchers to detect.

A group of researchers found 17 new contaminated extensions in Firefox. They have attractive names, such as “Ads Block Ultimate” and “Youtube Download.”

The focus of malicious actors on browser extensions is understandable. They have privileged access to the most intimate app we use on a daily basis, update automatically, and, with few exceptions, aren’t household names — I believe that extensions are searched for more by purpose than by name. Another problem is the market for buying and selling popular extensions, which change owners with no transparency.

A good way to mitigate damage is to limit yourself to extensions endorsed by browser stores. In Firefox, they have a "Recommended" seal. In Chrome, extensions reviewed by Google get a green “Featured” seal, according to the store's help section. In search results, you can filter them to display only featured extensions.