Representatives from Mozilla warn extension developers about an active phishing campaign aimed at hacking accounts on the official AMO platform (addons.mozilla.org).
Currently, AMO hosts over 60,000 extensions and more than 500,000 themes, which are used by tens of millions of people worldwide.
According to an official announcement from Mozilla, phishers targeting developers are disguising their emails as messages from the AMO team, claiming that the user’s account supposedly requires an urgent update to maintain access to development features.
“We are warning the developer community that we have detected a phishing campaign targeting AMO (addons.mozilla.org) accounts. Extension developers should exercise extreme caution when receiving emails purportedly sent on behalf of Mozilla or AMO,” representatives of the organization write.
It is noted that, as a rule, fraudulent emails contain a variation of the text “To continue accessing development features, you need to update your Mozilla Add-ons account.”
To protect their accounts, developers are advised to always check the domains from which emails originate (firefox.com, mozilla.org, mozilla.com, or their subdomains), ensure that the messages have passed standard checks (SPF, DKIM, DMARC), and avoid clicking on suspicious links.
Additionally, Mozilla recommends accessing the organization’s websites directly rather than clicking on links from emails and entering login and password information only on official Mozilla or Firefox domains.
Although the scale of this phishing campaign, its ultimate goals, and the number of affected accounts are not disclosed, in the comments on the post at least one developer claims to have fallen victim to such an attack.
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks
Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…
Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'
A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →