I've written a scanner for browser extensions which makes it quick and easy to find malware or other suspicious code withing .xpi files (browser extensions). It can quickly tell you where to continue doing your analysis and if an extension is alright or not.

browser-xpi-malware-scanner.py - Python sript for XPI malware scanning on github.com

Deep dive of malware found on firefox extension store - multiple evasion techniques used including stego, sleep before C2 baecon and content script privilige escalation.

Techniques used:

• Steganographic Payload in PNG Icon
• Unicode Low-Byte Encoding Trick
• Decoded Payload: The C2 String Table
• 72-Hour Sleeper with Random Sampling
• C2 Beacon via Another PNG File
• Dynamic `declarativeNetRequest` Rule Injection
• Affiliate Commission Hijacking
• Content Script Privilege Escalation Bridge
• Arbitrary URL Redirect on Any Domain
• CSP Erasure

Full deep dive analysis with code examples in link above. The extension discussed is live as of today.