This is a deep dive analysis of how to use browser-xpi-malware-scanner.py (https://github.com/ernos/browser-xpi-malware-scanner) to find live malware on the firefox extension store (or other browsers). I installed 10~ random extensions with low user count and found this pretty much right away using the scanner I've coded in python. Stenography seems to be the method of choice for threat actors wanting to write malware for browsers and bypassing the publication verification techniques.