arstechnica.com/security/2014/01/malware-vendors-buy-chrome-extensions-to-send-adware-filled-updates/
The news focuses on Chrome, but I've read of Firefox being effected too, the idea being if you already use a plug-in or extension you won't worry overmuch when it updates, though you should because now it might contain malware. Google's started blocking a couple after lots of complaints, but all those people complaining had to get hit by the non-legit updates 1st.