GhostPoster browser extension malware: what IAM teams should notice

TL;DR: GhostPoster shows how malicious browser extensions can hide payloads in PNG icons, delay activation for days, and persist across stores, with 17 related extensions and over 840,000 installs identified by LayerX Security and Koi Security. The case shows browser extensions are now an identity and control problem, not just an endpoint hygiene issue.

NHIMG editorial — based on content published by LayerX Security: Browser Extensions Gone Rogue, the Full Scope of the GhostPoster Campaign

By the numbers:

• The campaign spans 17 confirmed malicious Firefox extensions, with infrastructure overlap across Chrome and Edge.
• One variant alone accounted for 3,822 installs.

Questions worth separating out

Q: What breaks when malicious browser extensions are allowed in managed environments?

A: Malicious extensions can observe sessions, alter web content, inject code, and weaken browser-enforced security controls without needing a classic endpoint exploit.

Q: Why do browser extensions complicate identity and access management?

A: Browser extensions sit inside the human access path, so they can influence what users see, submit, and trust after authentication.

Q: How do security teams know if browser extension controls are actually working?

A: They should be able to answer three questions: which extensions are installed, which ones are allowed, and which ones show suspicious runtime behaviour.

Practitioner guidance

• Inventory every browser extension in managed environments Build a live inventory of installed extensions across Chrome, Firefox, and Edge, including those installed outside policy controls.
• Inspect extension assets for hidden payload containers Review packaged images, scripts, and background assets for steganography, obfuscation, and unexpected byte patterns.
• Monitor browser behaviour after installation Use behaviour-based controls that watch for delayed first network contact, DOM manipulation, header tampering, and unexpected remote script retrieval.

What's in the full article

LayerX Security's full post covers the operational detail this post intentionally leaves for the source:

• The per-extension IOC list with installs and store identifiers for each malicious package.
• The background-script variant analysis, including how the image file is parsed and decoded at runtime.
• The infrastructure overlap details across Firefox, Chrome, and Edge stores.
• The TTP mapping for masquerading, code obfuscation, delay execution, and browser information discovery.

👉 Read LayerX Security's analysis of the GhostPoster browser extension campaign →

GhostPoster browser extension malware: what IAM teams should notice?

Explore further

View Full Forum →  |  NHI Foundation Course →