The Mozilla Add-Ons team has recently post an advisory and update confirming that at least one reported Add-On contains a valid instance of a trojan.
According to the original Mozilla advisory users had reported that version 4.0 of Sothink Web Video Downloader is infected with password sniffer Win32.LdPinch.gen and Master Filer was infected with the backdoor trojan Win32.Bifrose. Working with McAfee and other source Mozilla has since updated the details to confirm that only Master Filer is infected and all version of Sothink we simply issuing false positives.
Despite the fact that only a single experimental add-on was infected this new threat shows the potential of a mass outbreak.Several years ago a similar issue arose when the Xorer Worm was shipped with the Vietnamese Add-On package. In that case the malware was fairly benign only displaying advertising, but it could, according to Mozilla developers, also have been used for more nefarious activities.
One way or the other this latest issue should raise some alarms. Users should always be aware of were, who and how they are getting their add-ons. Don't install something from a trusted site just because you think its safe. Always double check your source and scan anything you or downloading. Don't rely on a the safety of a known site when it comes to third party add-ons.