If you’ve been using browser extensions to download YouTube videos or images from Pinterest, translate text in real time, check Amazon price histories, or even enhance colors, you might have some uninstalling to do.
Cybersecurity firm LayerX has uncovered 17 malicious browser extensions that were downloaded more than 840,000 times in total, with some remaining active in the wild for up to five years. Instances were recorded across Firefox, Google Chrome, and Microsoft Edge browsers.
Mozilla and Microsoft have removed all of the extensions from their official stores at the time of writing. However, if you’ve already installed one, you’ll need to uninstall it manually.
The most popular malicious extension, dubbed “Google Translate in Right Click,” was downloaded more than 500,000 times from app stores. Another, “Translate Selected Text with Google,” racked up almost 160,000 downloads.
The extensions were part of a malware campaign researchers named GhostPoster, identified by Koi Security last month. The browser-based malware used “steganography”—hidden links or code embedded inside images—to infiltrate users’ machines.
The extensions also relied on a technique known as delayed execution, meaning it could take weeks or even months before their malicious behavior was triggered. Once activated, the extensions were capable of stripping and injecting HTTP headers to weaken web security policies, hijacking affiliate traffic for monetization, and injecting scripts to enable click fraud and user tracking.
In addition, the extensions could perform automated CAPTCHA solving and inject additional malicious scripts, giving attackers extended control over infected browsers.
The extensions were named: Google Translate in Right Click, Translate Selected Text with Google, One Key Translate, Translate Selected Text with Right Click, Ads Block Ultimate, AdBlocker, Amazon Price History, Color Enhancer, Cool Cursor, Convert Everything, RSS Feed, and Floating Player – PiP Mode.
Others listed include: YouTube Download, Instagram Downloader, Save Image to Pinterest on Right Click, Full Page Screenshot, Page Screenshot Clipper, and Youtube Download.
Recommended by Our Editors
(Credit: LayerX Security )
But these aren’t the only extensions you need to worry about. Koi’s earlier investigation unveiled numerous other malicious browser extensions, including the popular Urban VPN Proxy, a Google Chrome extension with 8 million users that was secretly collecting data from conversations with AI tools like ChatGPT, Claude, and Gemini to sell to data brokers.
The illicit VPN used the same strategy of hiding code inside a PNG image before redirecting the user to a website primed to inject malware.
If one of the extensions above looks familiar, check out PCMag’s guide to removing browser extensions from most major browsers.
Get Our Best Stories!
Your Daily Dose of Our Top Tech News
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy
Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
About Our Expert
Experience
I’m a reporter covering weekend news. Before joining PCMag in 2024, I picked up bylines in BBC News, The Guardian, The Times of London, The Daily Beast, Vice, Slate, Fast Company, The Evening Standard, The i, TechRadar, and Decrypt Media.
I’ve been a PC gamer since you had to install games from multiple CD-ROMs by hand. As a reporter, I’m passionate about the intersection of tech and human lives. I’ve covered everything from crypto scandals to the art world, as well as conspiracy theories, UK politics, and Russia and foreign affairs.
Read Full Bio
