Firefox Extensions Open-Source Supply chain issues - a simple solution?

the-moog — Wed, 27 May 2026 12:27:33 GMT

Maybe others have noticed too?

There is a flurry of copy cat extensions appearing. Malicious or not, I've no idea. But it does nothing for the end user and worse damages the reputation of the original author.

I suggested a simple solution in a discussion on GitHub when reporting such a copycat to the true author. There were some interesting thoughts.

If a project is of a permissive license there is nothing the original author can do, despite it possibly damaging their reputation or having them try to fix bugs in code they did not even write.
Mozilla will be dealing with the repercussions of their marketplace being flooded with possibly damaging extensions.
The original author gets nothing for their efforts, but do it for the love of code, why should they need to deal with people stealing their ideas and efforts.

When looking for one type of extension I recently found almost two dozen that were 'the same', possibly. Deliberate? Just for self learning? Malicious? Some were even asking for a fee to 'unlock features' despite them being clearly stolen code. I started to notice a pattern.

The project name changes, a bit.. The description or text is either a 1:1 copy or absent. It has few installs often the same graphics. The actual app is identical, or at most new skin. It's often then broken. The most important omission is any link to the original author, or if there is a link (and if you follow enough) you get to some anonymous persons blog or LinkedIn who has nothing to do with the project at all.

The solution, a small change to permissive licences and the use of PGP code signatures on releases. If the install in Firefox has no signature and no links to the codebase then limit the APIs it can use.

topic Firefox Extensions Open-Source Supply chain issues - a simple solution? in Discussions

Firefox Extensions Open-Source Supply chain issues - a simple solution?