Firefox Add-Ons Steal Data, Spy on Millions of Users

Security researchers have uncovered eight malicious Firefox extensions that steal OAuth tokens, passwords, and monitor user activity. The campaign, linked to the threat actor “mre1903,” uses fraudulent add-ons posing as popular games to deceive users. These Firefox add-ons steal data by redirecting users to scam websites or deploying hidden tracking tools.

The investigation began with the “Shell Shockers” extension and expanded to reveal a coordinated network targeting Firefox users. One of the most damaging tools, CalSyncMaster, mimics a calendar sync app but extracts OAuth tokens and accesses private Google Calendar data. Other extensions like VPN Grab A Proxy Free intercept web traffic, while GimmeGimme exploits European e-commerce platforms for affiliate fraud. These Firefox add-ons steal data by leveraging familiar branding and overreaching permissions.

Security teams advise users to audit extensions regularly and remove any suspicious ones. To learn more about this threat campaign, read the full report at:

8 New Malicious Firefox Extensions Steal OAuth Tokens, Passwords and Spy on Users