Mozilla warns of phishing attacks targeting add-on developers

Sergiu Gatlan

August 4, 2025
06:00 AM
0

Mozilla has warned browser extension developers of an active phishing campaign targeting accounts on its official AMO (addons.mozilla.org) repository.

Mozilla’s add-on platform hosts over 60,000 browser extensions and more than 500,000 themes used by tens of millions of users worldwide.

According to Mozilla’s advisory, these phishing emails are impersonating the AMO team and claim that the targeted developer accounts require updates to maintain access to development features.

https://imasdk.googleapis.com/js/core/bridge3.709.0_en.html#fid=goog_1531773922null

https://imasdk.googleapis.com/js/core/bridge3.709.0_en.html#fid=goog_1531773923null

https://imasdk.googleapis.com/js/core/bridge3.709.0_en.html#fid=goog_1531773924null

https://imasdk.googleapis.com/js/core/bridge3.709.0_en.html#fid=goog_1531773925null

“The developer community should be aware we’ve detected a phishing campaign targeting AMO (addons.mozilla.org) accounts. Add-on developers should exercise extreme caution and scrutiny when receiving emails claiming to be from Mozilla/AMO,” Mozilla cautioned on Friday.

“Phishing emails typically state some variation of the message’ Your Mozilla Add-ons account requires an update to continue accessing developer features.’”

SCROLL TO CONTINUE READING

To secure their accounts, developers are advised to always verify if emails they receive are sent from a Mozilla domain (firefox.com, mozilla.org, mozilla.com, or their subdomains), that they pass standard email authentication checks (including SPF, DKIM, and DMARC), and not to click on links embedded in suspicious emails.

Mozilla also urged developers to navigate directly to its websites rather than following email links, and only enter their login credentials on official Mozilla or Firefox domains.

Mozilla phishing email (Juraj)

While Mozilla has yet to disclose the scale of this phishing campaign, the end goal of the attacks, or whether any developer accounts had already been successfully compromised, at least one developer claims to have fallen victim.

Mozilla said it would provide updates if additional details about this campaign become available.

The warning comes after last month’s announcement that Mozilla’s Add-ons Operations team has launched a new security feature to help block malicious Firefox extensions designed to drain cryptocurrency wallets.

Andreas Wagner, the Add-ons Operations Manager who oversees the content security and review efforts for addons.mozilla.org (AMO), stated that Mozilla has identified and removed hundreds of extensions, including fraudulent cryptocurrency wallets, over the past few years.

While not all of these extensions were directly linked to malicious activities, cybercriminals stole $494 million worth of cryptocurrency last year through wallet-draining attacks affecting over 300,000 wallet addresses.