Mozilla has issued an urgent security alert to its developer community after identifying a sophisticated phishing campaign aimed at compromising AMO (addons.mozilla.org) accounts.
On August 1, 2025, Scott DeVaney from Mozilla’s security team reported that cybercriminals are targeting developers with deceptive emails, falsely claiming that account updates are necessary to retain access to developer features.
Targets Mozilla Add-on Developers
The phishing campaign sends highly convincing emails that appear to be official Mozilla communications, often featuring messages like “Your Mozilla Add-ons account requires an update to continue accessing developer features.”
These sophisticated phishing attempts prey on developers’ concerns about maintaining their publishing privileges on the AMO platform, which is the primary distribution channel for Firefox extensions and add-ons.
Security researchers have identified key indicators that can help developers differentiate legitimate emails from fraudulent ones.
Genuine Mozilla emails are sent exclusively from verified domains like firefox.com, mozilla.org, mozilla.com, and their respective subdomains. Additionally, legitimate emails will always pass critical email authentication checks, including SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance).
However, some phishing emails have been found to contain obvious technical mistakes, such as misspelled domain names like “mozila” instead of “mozilla.” These errors should raise immediate suspicion among recipients.
Despite these flaws, the phishing campaign has already led to at least one compromised developer account. One victim reported that they initially fell for the scam but quickly realized the deception and removed their extension.
Mozilla Recommendations
Mozilla’s security advisory emphasizes a multi-layered approach to safeguarding developer accounts, urging developers to adopt strict verification procedures when dealing with suspicious communications.
The company strongly advises developers not to click any embedded links in emails claiming to be from Mozilla. Instead, they recommend directly navigating to trusted domains like mozilla.org or firefox.com.
Key security practices include confirming that any links within emails lead exclusively to verified Mozilla domains and ensuring that Mozilla credentials are only entered on official websites (mozilla.org or firefox.com).
Additionally, Mozilla has directed developers to resources from the U.S. Federal Trade Commission and the U.K. National Cyber Security Centre for further guidance on identifying and reporting phishing scams.
This incident underscores the growing risks that WebExtensions developers, as well as the wider Mozilla ecosystem, face. Cybercriminals are increasingly targeting developer accounts to distribute malicious code through trusted extension platforms, potentially compromising user safety.
Leave A Comment