In a recent security alert, Mozilla—the non-profit behind the Firefox browser—has warned extension developers about a targeted phishing campaign that’s actively aiming to compromise developer accounts on its official AMO platform (addons.mozilla.org). With over 60,000 browser extensions and half a million themes hosted on AMO, this platform is a critical component of the Firefox ecosystem.
The warning serves as a wake-up call for developers and users alike, underscoring the growing cybersecurity threats targeting the software supply chain.
What Happened?
A Sophisticated Phishing Attempt
Mozilla issued a public advisory on August 2, 2025, confirming that phishing emails have been detected impersonating the AMO (Addons Mozilla Organization) team. The emails falsely claim that targeted accounts need to be updated to retain access to development features.
“Phishing emails typically state some variation of the message ‘Your Mozilla Add-ons account requires an update to continue accessing developer features,’” Mozilla cautioned.
These messages urge developers to click on links and provide their credentials, thereby allowing attackers to potentially hijack accounts, upload malicious add-ons, or modify existing extensions.
Why It Matters
Millions of Users at Risk
Mozilla’s add-ons platform powers extensions for tens of millions of Firefox users worldwide. If attackers gain access to a developer’s account, they could:
- Inject malware into popular extensions
- Steal user data or browsing behavior
- Deploy crypto-drainers, which are browser extensions that steal cryptocurrency wallets
- Undermine user trust in the Firefox ecosystem
Historical Context
This alert follows Mozilla’s recent security initiative to proactively block malicious Firefox extensions. Just last month, Andreas Wagner, Mozilla’s Add-ons Operations Manager, revealed that Mozilla had removed hundreds of extensions designed to drain cryptocurrency wallets or carry out fraudulent actions.
How the Phishing Scam Works
Spoofed Emails
Attackers send phishing emails that look legitimate and claim to come from Mozilla or AMO. They often contain:
- Official-looking branding
- Urgent language about account suspension or access revocation
- Hyperlinks to phishing pages that mimic AMO’s login interface
Credential Harvesting
Once the user clicks the link and inputs their login details, attackers gain unauthorized access to the developer’s AMO account, allowing them to:
- Publish or update malicious code
- Redirect users to harmful websites
- Lock developers out of their own accounts
How Developers Can Protect Themselves
Mozilla has outlined several best practices for developers to stay protected:
1. Verify Email Authenticity
Always check that emails are:
- Sent from official Mozilla domains:
@mozilla.org,@firefox.com,@mozilla.com, or their subdomains - Properly authenticated via SPF, DKIM, and DMARC standards
2. Avoid Clicking Suspicious Links
Instead of clicking embedded links:
- Go directly to the Mozilla website (e.g., addons.mozilla.org)
- Log in manually to verify if any action is actually required
3. Report Suspicious Activity
Forward phishing emails to Mozilla’s security team and report the incident via their official contact page or security form.
4. Enable Two-Factor Authentication (2FA)
Using 2FA adds an extra layer of protection, making it more difficult for attackers to access your account even if they obtain your password.
5. Stay Updated
Follow Mozilla’s blog and subscribe to security advisories to remain informed about the latest threats and platform updates.
What If You’ve Been Compromised?
If you suspect your AMO account has been compromised:
- Immediately reset your AMO password from the official site.
- Enable 2FA, if not already active.
- Review your extensions and ensure no unauthorized changes have been made.
- Contact Mozilla to flag your account and prevent further misuse.
- Notify users if a previously published extension was impacted.
What Mozilla Is Doing
Mozilla has not yet disclosed:
- The scale of the phishing campaign
- Whether any developer accounts have been successfully compromised
However, Mozilla has confirmed it will provide future updates as more information becomes available.
In the meantime, Mozilla’s Add-ons Operations team continues to enhance platform security, especially after its success in eliminating hundreds of fraudulent extensions over recent years. The organization is also investing in tools that block malicious add-ons at the review stage—a crucial step in protecting end-users.
Final Thoughts: A Warning Worth Heeding
Phishing is not new—but this targeted campaign against Firefox add-on developers represents a growing trend of supply chain attacks. By compromising developers rather than the end-users, attackers gain a foothold that’s difficult to detect and devastating in impact.
Whether you’re an add-on developer, security professional, or privacy-conscious user, staying vigilant against phishing threats is critical.
In summary:
- Don’t trust unsolicited emails claiming to be from Mozilla.
- Avoid clicking links in suspicious messages—always navigate directly.
- Implement security best practices, including 2FA and email verification.
- Keep informed via official Mozilla channels and advisories.
As the digital landscape evolves, developer security = user safety. And it starts with awareness.