Mozilla Warns of Targeted Phishing Campaign Against Add-on Developers

Mozilla has issued an urgent advisory to add-on developers, alerting them to a sophisticated phishing campaign aimed at compromising accounts on the Mozilla Add-ons (AMO) platform.

The security teams detected the malicious effort when several developers reported receiving deceptive emails that mimic official communication from Mozilla.

This article outlines the nature of the threat, steps to verify legitimate messages, and recommended actions to safeguard developer credentials.

On August 1, 2025, Mozilla’s Add-ons Community Blog announced that attackers are distributing emails misrepresenting themselves as urgent notices from “Mozilla Add-ons” or “AMO.”

The fraudulent messages typically claim that a developer’s AMO account “requires an update to continue accessing developer features.”

In reality, these emails contain links to malicious sites designed to harvest login credentials.

Once credentials are compromised, attackers could take control of developer profiles, modify or publish malicious extensions, or access private project data.

Mozilla’s investigation indicates that the phishing emails are crafted to appear authentic: they use Mozilla’s branding and refer to developer-specific terminology.

However, the messages originate from unauthorized domains and bypass standard safeguards by closely imitating legitimate notifications.

While the precise scale of the campaign remains under assessment, even a small number of compromised accounts could pose serious risks to the ecosystem, as malicious add-ons can distribute malware or compromise user privacy at scale.

Verifying Authenticity of AMO Emails

To combat the phishing efforts, Mozilla recommends that all add-on developers adopt rigorous verification procedures before interacting with any email claiming to originate from AMO. Key checks include:

• Domain validation: Confirm that the sender’s email address uses only Mozilla-owned domains (mozilla.org, mozilla.com, firefox.com) or their subdomains. Any deviation is an immediate red flag.
  
• Email authentication: Ensure that each message passes standard email authentication protocols—SPF, DKIM, and DMARC. Developers can consult their email provider’s or client’s documentation to view authentication results.
  
• Link inspection: Hover over any embedded links to verify they resolve to official Mozilla domains. Links pointing elsewhere should never be clicked; instead, navigate directly to addons.mozilla.org via a known bookmark or manual entry.
  
• Credential entry: Under no circumstances should credentials be submitted on any site other than mozilla.org or firefox.com. If in doubt, access the AMO developer portal directly rather than following email links.

These precautions help distinguish legitimate service announcements from malicious imitations, reducing the likelihood of credential compromise.

Reporting and Further Guidance

Mozilla is coordinating with cybersecurity organizations to monitor the phishing campaign and update defensive measures as attackers adapt their tactics.

Developers who receive suspicious emails are urged to report them to Mozilla’s security team and to delete the messages.

Detailed guidance on identifying and reporting phishing scams is available from the U.S. Federal Trade Commission and the U.K. National Cyber Security Centre, which provide general best practices for email security and incident reporting.

Although Mozilla has not yet released information on the full extent of the breach or the actors involved, the company pledges to share updates as the situation evolves.

In the meantime, add-on developers should remain vigilant, follow the outlined verification steps, and maintain up-to-date passwords and two-factor authentication where available.

By exercising caution and adhering to email security protocols, the developer community can thwart phishing attempts and protect the integrity of the Mozilla Add-ons ecosystem.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.