There is no such thing as a hidden add-on (apart from system add-ons which need to be signed with a special mozilla key that malware never ever should get its hands on).
If you do not trust the list in about:addons, you can cross-check about:support.
In general, malware extensions when discovered and reported to mozilla can be blocklisted, so they’re removed automatically. However, malware may try to break this mechanism, which has to be fixed outside of Firefox.
The classic advice of figuring out a bad extension is to use the “half-split” troubleshooting method, where you disable half of all extensions, and if that solves the issue the extension is in the other half, else it’s in the current half. Then you half that half and do the same etc.