Eight Dangerous Firefox Add-ons Found in Official Repository

Security researchers have discovered an extensive network of malicious Firefox extensions that used the names of tools and known games to trick users into downloading them.

It’s one thing to download a browser add-on from a shady corner of the Internet, and a completely different situation when you get it from an official website. It’s a common problem that rears its ugly head on other platforms. Google, for example, had similar issues in the past with distribution of malicious apps via its official store.

These malicious Firefox add-ons discovered by the Socket Threat Research Team are linked to a threat actor known as mre1903.

Fake gaming extensions leveraging popular titles

Security researchers have identified multiple add-ons that used names of popular games, including:

• Little Alchemy 2
• 1v1.LOL
• Krunker.io
• Five Nights at Freddy’s
• Bubble Spinner

The add-ons provided no gaming content and immediately triggered popups after installation, redirecting victims to gambling websites and fake Apple virus alert pages. Of course, the alerts typically display fabricated error codes to deceive users into providing personal or financial details to the attacker.

According to researchers, the ‘mre1903’ threat actor has been around since June 2018. It appears that it began to escalate its activities around December 2020.

The hooks are not restricted to just games

Additional malicious add-ons researchers identified have displayed even more severe privacy violations:

• GimmeGimme: It presents itself as a wishlist tool for online shopping sites in Europe. If installed, the extension secretly redirected users through affiliate links, generating profits for attackers.
• VPN Grab A Proxy Free: It’s marketed as a VPN designed for privacy protection, but this extension actually injects invisible tracking frames, with unique user identifiers, and reroutes traffic through attacker-owned proxies.
• CalSyncMaster: This add-on is disguised as a Google Calendar sync utility but is built to grant attackers persistent access to personal and organizational calendar data.

All of these add-ons use a combination of social engineering and technical sophistication, demonstrating just how advanced this type of threat has become.