The issue was brought to light by a user via the Bugzilla bulletins:
I installed the add-on "YouTube Unblocker" version 0.6.20 from AMO. Immediately after installing my antivirus software (Avast) warned me of a blocked download from a third-party website associated with neither Mozilla nor the add-on. The download was another add-on which Avast categorized as malware.Just to be on the safe side, Ghacks provides detailed removal instructions over here. A list of alternative YouTube unblockers can be found over here.
Looking at the code of the add-on "YouTube Unblocker", I found the responsible code in the file email@example.com esourcesunblocker-apilibutils.js following line 138. The function updateConfigFile() downloads files from a web server and places them onto the hard drive of the user. It checks for a "whitelist", so that - seemingly - no other files can be overwritten. The actual file list to update comes as response from the server api.unblocker.yt and is therefor not part of the add-on. The configuration I got from the server is in the attachement response.json (captured with Wireshark).