Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

GhostPoster browser extension malware: what IAM teams should notice


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: GhostPoster shows how malicious browser extensions can hide payloads in PNG icons, delay activation for days, and persist across stores, with 17 related extensions and over 840,000 installs identified by LayerX Security and Koi Security. The case shows browser extensions are now an identity and control problem, not just an endpoint hygiene issue.

NHIMG editorial — based on content published by LayerX Security: Browser Extensions Gone Rogue, the Full Scope of the GhostPoster Campaign

By the numbers:

Questions worth separating out

Q: What breaks when malicious browser extensions are allowed in managed environments?

A: Malicious extensions can observe sessions, alter web content, inject code, and weaken browser-enforced security controls without needing a classic endpoint exploit.

Q: Why do browser extensions complicate identity and access management?

A: Browser extensions sit inside the human access path, so they can influence what users see, submit, and trust after authentication.

Q: How do security teams know if browser extension controls are actually working?

A: They should be able to answer three questions: which extensions are installed, which ones are allowed, and which ones show suspicious runtime behaviour.

Practitioner guidance

  • Inventory every browser extension in managed environments Build a live inventory of installed extensions across Chrome, Firefox, and Edge, including those installed outside policy controls.
  • Inspect extension assets for hidden payload containers Review packaged images, scripts, and background assets for steganography, obfuscation, and unexpected byte patterns.
  • Monitor browser behaviour after installation Use behaviour-based controls that watch for delayed first network contact, DOM manipulation, header tampering, and unexpected remote script retrieval.

What's in the full article

LayerX Security's full post covers the operational detail this post intentionally leaves for the source:

  • The per-extension IOC list with installs and store identifiers for each malicious package.
  • The background-script variant analysis, including how the image file is parsed and decoded at runtime.
  • The infrastructure overlap details across Firefox, Chrome, and Edge stores.
  • The TTP mapping for masquerading, code obfuscation, delay execution, and browser information discovery.

👉 Read LayerX Security's analysis of the GhostPoster browser extension campaign →

GhostPoster browser extension malware: what IAM teams should notice?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Browser extensions now belong in the identity security perimeter: GhostPoster shows that a browser add-on can sit directly in the human session, observe content, and alter the user’s interaction path without needing traditional endpoint compromise. That makes browser governance a control plane issue for IAM and security architecture, not a niche desktop-management concern. Practitioners should treat extension policy as part of identity enforcement, not merely software inventory.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.

A question worth separating out:

Q: Who is accountable when a malicious extension persists after store removal?

A: Accountability sits with the organisation that permits the extension in the managed browser environment and with the control owners responsible for policy enforcement. A store takedown is not containment if installed copies remain active on endpoints. That is why enterprise browser governance, endpoint control, and IAM oversight need shared ownership.

👉 Read our full editorial: GhostPoster campaign shows browser extensions can hide malware



   
ReplyQuote
Share: