Security researchers uncover network of malicious Firefox extensions

Security researchers at Zen Security have uncovered a malicious campaign targeting Firefox users through extensions. Firefox, like its Chromium-based counterparts, supports browser extension. These enable users to change functionality of the browser or the sites they visit.

Popular options include content blockers, video downloaders, or extensions that list coupons. Extensions uploaded to the Mozilla Store have to pass a series of tests designed to ensure that they are not malicious or problematic in other regards.

Only some extensions are reviewed manually by Mozilla, but that is still better than Google's "only automatic" handling of extension checks when they are uploaded to the official Store.

The malware campaign in question used extensions to "impersonate legitimate wallet tools" from platforms such as Coinbase, MetaMask, Trust Wallet, or MyMonera according to Koi Security. Their main purpose was to steal wallet secrets, which put the assets of the user under immediate risk.

Koi Security notes that the campaign is still ongoing and that some extensions are still available on the official Mozilla Firefox add-ons repository. The campaign itself has been active since at least April 2025 according to the researchers. They noticed new extension uploads "as recent as last week", suggesting that the "operating is still active, persistent, and evolving".

The main way of distributing the extension was through the official extensions store that Mozilla maintains.

The malicious extensions extract the wallet credentials directly from the websites they target to send the data to a remote server.

The researchers note that the malware group leveraged common tactics to gain community trust. The fake extensions mimicked the branding of the legitimate wallet extensions and used review inflation to increase the number of positive reviews.

They shared the screenshot of one of the extensions. Listed with less than 100 users on the official Mozilla add-ons repository, it managed to obtain several thousands of reviews, including more than 2,000 5-star reviews.

List of malicious Firefox extensions (according to Zen Security):

bitget-by-addon 

bitget-by-addons 

bitget-extension 

btc-wallet 

coinbasewallet 

developer-trust 

eth-for-edition 

eth-wallet 

ethereum-wallet 

ethereum-wallet-crypto 

fil-project 

filfox 

filfox-wallet 

is-a-block-explorer 

keplr-wallet 

leap-wallet 

metamask-addons 

metamask-crypto-official 

metamask-for-firefox 

metamask-for-wallet 

metamask-the-extension 

metamaskext 

mew-wallet-ethereum-defi-web3 

mymonero-wallet official-metamask 

official-metamask-wallet 

okx-add 

okx-addons 

okx-wallet-extension 

okx-wallet-extension1 

phantom-ext-off 

phantom-wallet-extension 

trust-app trust-application 

trust-bestwallet trust-cryp 

trust-developer 

trust-extension-wallet 

trust-for-mozilla 

trust-wallet-mozilla-add 

wallet-for-bitcoin 

wallet-for-trusr-crypto-wallet 

wallet-for-trust 

wallet-metamask-crypto-wallet

Firefox users who have installed wallet extensions in the past should verify that they are legitimate and not malicious by comparing names.

Closing Words

Extensions can be mighty useful, but they are also regularly used by cybercriminals for attacks. It is a regular occurrence, not only on the Mozilla Store but also the Chrome Web Store. Extensions with the recommended batch should be considered more secure than any other on the Mozilla Store. These extensions are reviewed manually and thus less likely to be malicious.

Do you install browser extensions? How do you make sure that you do not install malicious extensions? Feel free to leave a comment down below.

Source

Hope you enjoyed this news post.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of June): 2,864

RIP Matrix | Farewell my friend