It didn't install a rootkit. I believe the term for what they did is 'beaconing' (though you could also call it a proxy bypass attack, or a side channel attack, but I suggest not calling it a side channel attack in front of any cryptographers). Essentially, they hacked you, phoned home immediately with your MAC address, also getting them your IP address, and that was that. Nothing persistent was installed. There was a cookie set but it expired after half an hour. The attack only worked against Windows. If your OS is not Windows, you are fine. The attack only worked against version 17.0.6 of Firefox and prior, if you had an up to date Firefox, you are fine. It had been patched a month prior to them using it. The attack requires javascript to be enabled, if you had javascript disabled, you are fine. The attack can only phone home an IP address if you didn't isolate Firefox from external IP address. If you used Whonix or Qubes with a TorVM you are fine, and also you are fine if you isolated firefox yourself. If you used Whonix or isolated yourself they cannot even phone home a real MAC address. They can only phone home a real IP address if firefox isn't isolated from the network, if firefox can only talk to Tor because of firewall rules you are fine, which means even if the attack was targeted against Linux users and they infected you on Tails, they could only phone home a MAC address and not an IP address because the Tails Browser is network (but not process) isolated. So you were not compromised at all if you meet any of the following criteria: A. You don't use Windows B. You had updated your browser roughly within the past month C. You did not have javascript enabled D. You used Whonix or isolated yourself with HVM or isolated with TorVM If you meet none of the previous criteria, but still meet the following criteria, they did not get your IP address but did get your username and MAC: E. You had firefox network isolated with a firewall The feds could try that but I don't know that they will be allowed to hack random people reading news articles. I guess they could make a fake news site and direct SR people to it in order to pwn them. It is totally possible. No other sites are known to be carrying the same payload or exploiting the same vulnerability. I doubt they infected many machines. They only infected people who not only took absolutely no additional security measures versus using vanilla TBB, but who were on Windows and who had a TBB that was more than a month out of date. They got only the very lowest hanging fruit, and it is actually debatable if they even got a single person. This entire attack has been analyzed to hell and back by probably a hundred different professional level security researchers and hackers. It cannot do any of that. It is none of those things, it crashes itself immediately after phoning home and the only thing left is a cookie that expires half an hour later. The exploit technically is cross platform, but the delivered payload is for Windows only. NP glad to help.