Graham Cluley at Sophos.com has provided a great article at his blog about BAD Add-Ons for Firefox. The most recent is nasty spyware, another is infected with a spyware Trojan horse, and the last has a potentially dangerous security hole that could lead to PWNing your machine:
Mozilla pulls password-sniffing Firefox add-on
All of these Firefox Add-Ons have been blocked from distribution by Mozilla. But if you happen to have them laying around or have installed them: Kill them.
Mozilla Sniffer: It has been available since June 6, 2010. It spies on Internet passwords you enter in Firefox and sends them to nefarious fiends.
Master Filer: The infected version has been available since earlier in 2010. It is infected with the LdPinch Trojan horse, which also steals your Internet passwords and sends them to nefarious fiends.
CoolPreviews: Versions 1.0 through 3.0.1 have a demonstrated security vulnerability that could allow run malicious code on your computer. (Sounds like a typical buffer overflow problem). Proof-of-concept code has been created that demonstrates how to perform the hack. Therefore, it is critical to update to the latest version of CoolPreviews.
There have been other BAD Add-Ons as well, all of which Mozilla have blocked from distribution.
As a side note:
This same sort of problem has been plaguing the Android community whereby anyone can post anything as an application, including crapware and malware. As with Mozilla, Google have no formal system for approving or filtering bad software apart from reports from users. Therefore, it is likely that a number of people are going to be victims of BAD software before it is removed from distribution.
To be honest, this lack of formal software scrutiny system is what we are all used to in the general computer community. The best workarounds have been the use of websites like MacUpdate, VersionTracker, TuCows, MajorGeeks, etc., where either the site managers or other users have tried and rated the software.
For better or worse, Apple now use a formal scrutiny system at their App Store for the iPhone, iPod Touch and iPad. If you download a CrapApp onto your iOS device, you can point fingers at Apple for messing up. Microsoft have had a copycat scrutiny system for their Zune thing app store and plan the same thing for their Windows Phone 7ista OS thingies. Meanwhile, for all other devices, it is that mean old adage: Caveat emptor, IOW Downloader Beware.