"In terms of implementation, the most interesting one is “Іron Wаllеt” (the I, a, and e are Cyrillic). Three seconds after install, it fetches the phishing page’s URL from the first record of a NocoDB spreadsheet and opens it [...] The API key had write access, so I wiped the spreadsheet."

The extension is actually still up: hxxps://addons[.]mozilla[.]org/en-US/firefox/addon/%D1%96ron-w%D0%B0ll%D0%B5t/