A malicious campaign dubbed 'GreedyBear' has snuck onto the Mozilla add-ons store, targeting Firefox users with 150 malicious extensions and stealing an estimated $1,000,000 from unsuspecting victims.

The campaign, discovered and documented by Koi Security, impersonates cryptocurrency wallet extensions from well-known platforms such as MetaMask, TronLink, and Rabby.

These extensions are uploaded in a benign form initially, to be accepted by Firefox, and accumulate fake positive reviews.

At a later phase, the publishers strip out the original branding and replace it with new names and logos while also injecting malicious code to steal users' wallet credentials and IP addresses.

The malicious code acts as a keylogger, capturing input from form fields or within displayed popups, which are

See Full Page