What is the Mozilla AMO phishing campaign targeting Firefox extension developers?

Mozilla has issued a warning about an active phishing campaign targeting Firefox extension developers with accounts on the official AMO (addons.mozilla.org) repository. Attackers are impersonating the AMO team via fraudulent emails designed to steal developer credentials and compromise trusted accounts.

Who is being targeted in this Mozilla phishing campaign?

The primary targets are Firefox extension developers who have accounts on Mozilla's official AMO (addons.mozilla.org) repository. The campaign specifically aims to compromise developer accounts that have access to publish and manage browser extensions on Mozilla's trusted platform.

How do the Mozilla phishing emails work?

The phishing emails impersonate the AMO team and create urgency with messages like 'Your Mozilla Add-ons account requires an update to continue accessing developer features.' The attackers use domains that closely mimic legitimate Mozilla domains, such as using 'mozila' instead of 'mozilla', and the login form links lead to fake sites that proxy requests to the real addons.mozilla.org.

What are the attackers trying to steal in this Mozilla phishing campaign?

The primary targets of this campaign are Mozilla/AMO developer account credentials and authentication tokens and session data. The attackers are specifically seeking login information that would give them access to legitimate developer accounts on the Mozilla Add-ons platform.

What is the ultimate goal of these attacks on Mozilla developers?

The ultimate goal appears to be gaining control over legitimate developer accounts to distribute malicious extensions through Mozilla's trusted platform. By compromising trusted developer accounts, attackers can bypass normal security checks and distribute malware to Firefox users through the official add-ons repository.

How can developers identify these Mozilla phishing emails?

Developers should look for suspicious domain names that mimic Mozilla domains (like 'mozila' instead of 'mozilla'), urgent messages about account updates, and links that don't point to legitimate Mozilla domains. The emails often create false urgency about needing to update account information to continue accessing developer features.

How many developers have been affected by this Mozilla phishing campaign?

Mozilla has not disclosed the total number of affected individuals or the full scope of the campaign. However, at least one developer has been confirmed to have fallen victim to the phishing scam, indicating that the campaign has had some success.

How can Mozilla Firefox extension developers protect themselves from this phishing campaign?

Mozilla strongly recommends that developers do not click any links in suspicious emails, verify that emails were sent by Mozilla-owned domains (firefox.com, mozilla.org, mozilla.com, or their subdomains), validate that links point to legitimate Mozilla domains before opening them, or preferably navigate directly to mozilla.org or firefox.com rather than following email links.

Attack

Mozilla warns of active phishing campaign targeting Firefox Add-on developers

published: Aug. 4, 2025

Take action: If you're a Firefox extension developer, be aware that you are targeted. Don't click links in emails claiming to be from Mozilla about account updates - these are phishing attempts using fake domains like "mozila" instead of "mozilla". Always navigate directly to addons.mozilla.org or mozilla.org instead of following email links.

Learn More

Mozilla has issued a warning about an active phishing campaign targeting Firefox extension developers with accounts on its official AMO (addons.mozilla.org) repository.

The attackers are impersonating the AMO team via fraudulent emails designed to steal developer credentials and compromise trusted accounts. The phishing emails imply urgency through some variation of the message "Your Mozilla Add-ons account requires an update to continue accessing developer features."

The attackers have been observed using domains that closely mimic legitimate Mozilla domains like the use of the string "mozila" in the domain instead of "mozilla".

The login form links in the email lead to a fake site that will proxy requests to the main catalog addons.mozilla.org.

Mozilla has not disclosed the total number of affected individuals or the full scope of the campaign, at least one developer has confirmed falling victim to the phishing scam.

The primary target of this campaign appears to be:

Mozilla/AMO developer account credentials
Authentication tokens and session data

The ultimate goal of these attacks appears to be gaining control over legitimate developer accounts to distribute malicious extensions through Mozilla's trusted platform.

Mozilla strongly recommends that developers do not click any links in suspicious emails, verify that emails were sent by Mozilla-owned domains (firefox.com, mozilla.org, mozilla.com, or their subdomains). Developers should validate that links point to legitimate Mozilla domains before opening them, or preferably navigate directly to mozilla.org or firefox.com rather than following email links.

Mozilla warns of active phishing campaign targeting Firefox Add-on developers

Read More
Critical vulnerability in Post SMTP WordPress Plugin actively …
CISA warns of actively exploited flaws in Dassault …
Sophos warns of Akira and Fog ransomware gangs …
Oracle patches actively exploited flaw in Agile PLM
Campaign dubbed ShadowRay 2.0 exploits unpatched Ray AI …