For the past 24h we have been under attack by bots, which have been publishing duplicates of addons to the community catalog. During our investigation we found hundreds of duplicate addons that shouldn’t have been registered to the addon catalog.
This event did not affect the stability of the service at all, the only issue (from a user perspective) would have been seeing many duplicate addons in the community addons list in the apps. Installing one of the duplicate addons did not pose any risk to the users, the apps would have just installed the original addon in this case.
With that said, we take security matters (such as this) very seriously. Today we implemented spam detection and protection for the addon publishing endpoint, as well as a 24h rate limit to publishing addons. (you can only publish one new addon per day to the community addons catalog)
The duplicate addons have been detected and removed, this change should already be visible to the majority of the users, but due to caching could still take up to 24h to be propagated to all users.
We will continue to monitor the situation and further improve the security of the addon publishing endpoint to ensure protection against abuse.