- The ShadyPanda campaign made 145 Chrome/Edge extensions harmful after years of normal use
- Updates added affiliate fraud, cookie theft, search hijacking, and remote code execution
- 4.3 million units at risk; Google removed extensions, Microsoft slower to respond
More than a hundred browser extensions spread across Google Chrome and Microsoft Edge browsers became malicious after five years of “normal” operation. The attackers apparently played the long con game – building trust for years before pulling the trigger on unsuspecting victims. Apparently, about 4.3 million devices are at risk.
This is according to security researchers Koi Security, who discovered the campaign, which it later named: ShadyPanda.
According to the report, the extensions started appearing in browser stores in 2018. They worked normally and offered users various features like wallpapers or productivity enhancements. But from 2023 onwards, the extensions started getting updates which gradually introduced malicious features.
Remote code execution and info theft
In 2023, the attackers started with affiliate scams and added tracking codes from eBay, Amazon, Booking[.]com and other sites for legitimate links. In this way, they earned commissions on users’ purchases without their knowledge or consent.
This practice lasted for about a year before the attackers decided to take it a step further and steal session cookies and hijack search engine results. Some of the extensions redirected search queries to different (dubious) search engines, some exfiltrated them to different subdomains, and some simply forwarded session cookies.
That same year, some of the extensions were also updated to include remote code execution (RCE) capabilities, effectively making them a backdoor.
Finally, in 2025, the last update allowed the attackers to steal all sorts of sensitive information, from complete browsing histories to search queries and mouse click locations. They also stole browser fingerprints, page interaction analysis, access to localStorage, sessionStorage and cookies.
The list of extensions is quite extensive. There are 125 of them for Edge and 20 for Chrome. Google has reportedly already removed everything hosted on its repository, while Microsoft seems to be lagging behind. To check the full list of malicious extensions, be sure to read Koi Security’s full report here.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
