‘ShadyPanda’ Hackers Weaponize Millions of Browsers

Summary

A China-linked threat actor tracked as ShadyPanda has used malicious browser extensions on Chrome and Edge marketplaces to compromise millions of users. Koi Security’s investigation found roughly 4.3 million affected installs across multiple extensions. The adversary weaponised trusted extensions — some live since 2018 — pushing poisoned updates in mid-2024 that enabled remote code execution (RCE), comprehensive browser surveillance and real-time exfiltration of browsing data.

Key Points

ShadyPanda operated two simultaneous campaigns: a set of Chrome extensions (around 300,000 installs) and a larger suite of Edge extensions (~4 million installs).
Trusted extensions that had accumulated installs and positive reviews were turned malicious via auto-updates, enabling hourly remote code execution and arbitrary JavaScript execution with full browser API access.
Collected data included full browsing histories, search queries (captured keystroke-by-keystroke), mouse clicks and cookies; some data was exfiltrated to attacker-controlled servers in China.
Earlier phases (2023) focused on affiliate fraud; the campaign escalated to persistent surveillance and hijacking, showing an evolution in tactics and persistence.
Marketplace review processes check extensions at submission but generally do not continuously monitor behaviour after approval — a gap ShadyPanda exploited for years.
Google and Microsoft say the identified malicious extensions have been removed from their stores; users are advised to update browsers and remove unknown extensions. Enterprises should enforce allow‑lists and audit installed extensions.

Content Summary

Koi Security’s report details how ShadyPanda initially learned to game extension marketplaces via low‑sophistication affiliate fraud, then graduated to surreptitious weaponisation. The attackers used long‑trusted extensions to gain broad reach, then pushed malicious updates that turned those add-ons into backdoors capable of downloading and running arbitrary scripts. One Edge extension, WeTab, alone reportedly had ~3 million users. The framework allows the actor to push further malicious updates at any time, creating a persistent large‑scale surveillance and command capability.

Context and Relevance

This story underlines a major supply‑chain and platform risk: marketplace approvals are necessary but not sufficient. As enterprises and individuals rely heavily on browser extensions for productivity and security, the attack demonstrates how attackers can weaponise trust and scale. The incident matters for endpoint protection, browser security policies, IT asset hygiene and breach detection strategies. It also highlights the need for continuous runtime monitoring of extension behaviour, not just static pre‑publication checks.

Author style

Punchy: This isn’t a one‑off nuisance — it’s a long, methodical campaign that turned popularity into a weapon. Read the detail if you manage endpoints, run browser policy, or care about data exfiltration risks: the mechanics and scale here are worrying and actionable.

Why should I read this

Look — if you use Chrome or Edge (and let’s be honest, most people do), this affects you. Millions of installs, trusted extensions turned into backdoors, and the ability for attackers to push new malicious code at will. Skim it if you like headlines, but actually spend five minutes on the mitigation tips if you run IT or security. Seriously, check your extensions now.

Source

Source: https://www.darkreading.com/endpoint-security/shadypanda-hackers-weaponize-browsers