Mozilla has issued an urgent security alert to its developer community following the detection of a sophisticated phishing campaign specifically targeting AMO (addons.mozilla.org) accounts.
The company’s security team, led by Scott DeVaney, reported on August 1, 2025, that cybercriminals are actively attempting to compromise developer credentials through deceptive emails claiming account updates are required to maintain access to developer features.
Key Takeaways
1. Mozilla detected phishing emails targeting add-on developers.
2. Fake emails use wrong domains (like "mozila") and fail SPF/DKIM/DMARC checks.
3. Only enter credentials on mozilla.org/firefox.com.
Targets Mozilla Add-on Developers
The malicious campaign utilizes carefully crafted emails that masquerade as official Mozilla communications, typically containing variations of the message “Your Mozilla Add-ons account requires an update to continue accessing developer features”.
These sophisticated phishing attempts exploit developers’ concerns about maintaining access to their publishing privileges on the AMO platform, which serves as the primary distribution channel for Firefox extensions and add-ons.
Security researchers have identified several technical indicators that can help developers distinguish legitimate communications from fraudulent ones.
Authentic Mozilla emails exclusively originate from verified domains, including firefox.com, mozilla.org, mozilla.com, and their respective subdomains.
Furthermore, legitimate emails pass essential email authentication protocols, including SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) checks.
Evidence from affected developers reveals that some phishing emails contain obvious technical flaws, including misspelled domain names such as “mozila” instead of “mozilla,” which should serve as immediate red flags for recipients.
Despite these apparent errors, the campaign has successfully compromised at least one developer account, with one victim reporting they “fell for the phishing scam” before quickly realizing the deception and deleting their extension.
Mozilla Recommendations
Mozilla’s security advisory emphasizes a multi-layered approach to protection, urging developers to implement strict verification procedures when handling suspicious communications.
The company recommends that developers never click embedded links in emails claiming to be from Mozilla, instead advocating for direct navigation to mozilla.org or firefox.com domains.
Critical security protocols include validating that any links within emails point exclusively to verified Mozilla domains before interaction, and ensuring that Mozilla credentials are only entered on official mozilla.org or firefox.com websites.
The company has also directed developers to additional resources from the U.S. Federal Trade Commission and the U.K. National Cyber Security Centre for comprehensive guidance on detecting and reporting phishing scams.
This incident highlights the growing threat landscape facing WebExtensions developers and the broader Mozilla ecosystem, as cybercriminals increasingly target developer accounts to distribute malicious code through trusted extension platforms potentially.
Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches
