Created attachment 701617 [details]
MALICIOUS add-on, do not install
Just found the attached add-on in the wild on a relative's PC (Ubuntu, not that this matters).
Judging from the browser history it seems the add-on got to the system via a shady porn site with a "plugin is required to play this video" spoof.
It is a variant of bug 755443, etc.
I suggest immediately blocklisting the add-on in question, id email@example.com, and also putting the location of the remote script http://mio98.hk/j.php into the attack sites list! Don't omit the attack sites please, as at least bug 755443 uses the same URL.
Would it be possible to grab the update ping logs and grep for similar ids, seeing that there is at least one other add-on with a very similar id.
Created attachment 701618 [details]
De-minified, beautified loader js
Just in case somebody is wondering....
The add-on has been blocklisted: https://addons.mozilla.org/en-US/firefox/blocked/i246
As for adding the URL to the attack sites, I think all that is necessary is to submit it to Google. Is this correct?