What started as a single suspicious browser add-on has grown into a much larger cybersecurity concern that many users never saw coming. Last month, Koi Security published an analysis of a Firefox extension it named GhostPoster, describing a method of abuse that avoided the usual warning signs reviewers look for when scanning browser extensions.
GhostPoster’s modus operandi included hiding the payload inside a harmless looking PNG image file. That image was later decoded and executed, allowing the extension to bypass static analysis tools and manual reviews without raising suspicion.