Mozilla Warns Firefox Extension Developers of New Phishing Campaign Targeting AMO Accounts Tags: Mozilla, Firefox, Add-on
Mozilla has issued a stark warning to Firefox extension developers regarding a new phishing campaign targeting their accounts on the official AMO platform (addons.mozilla.org). This ecosystem encompasses over 60,000 extensions and more than half a million themes, serving tens of millions of users daily across the globe.
According to the advisory, cybercriminals have been distributing emails purporting to be from the AMO team, falsely claiming that the recipient’s developer account requires an urgent update to maintain access to development tools. In reality, these messages redirect victims to counterfeit websites designed to harvest login credentials. The phishing emails typically include phrasing such as, “Your Mozilla Add-ons account requires an update to continue using developer features,” aiming to provoke concern and prompt a click on the malicious link.
Mozilla strongly advises developers to verify the authenticity of all such communications. Legitimate messages should originate from domains like firefox.com, mozilla.org, mozilla.com, or their subdomains, and must pass standard authentication checks including SPF, DKIM, and DMARC. Developers are urged to refrain from clicking on links within suspicious emails and instead navigate to the AMO site directly via its official URL to verify any account-related information. Most crucially, they are reminded to enter login credentials only on genuine Mozilla or Firefox domains.
While the full extent of the phishing campaign remains undisclosed, Mozilla has confirmed that at least one developer has already fallen victim—underscoring the very real threat posed, even in the absence of comprehensive data on the number of compromised accounts or the attackers’ next moves. The organization has pledged to share additional details as they become available.
This incident unfolds against a critical backdrop: just last month, the Add-ons Operations team introduced a new security measure designed to automatically block malicious extensions masquerading as cryptocurrency wallets. According to Andreas Wagner, head of the team, hundreds of dangerous add-ons have been identified and removed over recent years. Some were explicitly designed to steal cryptocurrency, while others were more covert in their malicious intent.
In this context, the statistics are especially sobering. Last year alone, cybercriminals reportedly stole approximately $494 million in cryptocurrency through wallet-targeted attacks, affecting over 300,000 unique wallet addresses. These incidents underscore the devastating potential of even a single developer account breach—given the vast reach of browser extensions, such accounts become ideal vectors for propagating malicious code.
In summary, developers who publish extensions on Mozilla’s platform are once again in the crosshairs. In this case, phishing is not merely a personal security concern—it represents a possible conduit for compromising tens of millions of users worldwide.
