ShadyPanda--> The 7-Year Browser Extension Backdoor Hiding in Plain Sight, And How to Protect Yourself Today.

Jim Leone

12/1/20253 min read

When “Trusted” Tools Turn into Spyware...

Most cyber threats today follow familiar patterns - phishing, credential theft, exploited vulnerabilities, malware delivered via suspicious links. But in late 2025, researchers uncovered something far more unsettling... A 7-year-long campaign where completely legitimate, widely-trusted browser extensions silently transformed into full-blown spyware and remote-access tools.

Over 4.3 million Chrome and Edge users were affected.

No phishing. No malicious downloads. No social engineering. Just a malicious update to extensions users already trusted - some even labeled Featured or Verified by Google.

This operation, dubbed ShadyPanda, is one of the clearest demonstrations yet that the browser - not the endpoint - may now be the most valuable real estate for attackers.

And the implications affect everyone --> families, small businesses, enterprises, government, and anyone who uses Chrome or Edge.

The ShadyPanda Campaign and What We Now Know

Researchers at Koi Security traced the campaign across four phases, beginning in 2018.

Phase 1 (2018–2022)--> Build Trust

Attackers published harmless-looking extensions - wallpapers, new tab pages, productivity utilities. Some gained hundreds of thousands of installs and positive reviews.

Phase 2 (2023)--> Silent Affiliate Fraud

Around 2023, the first subtle signs of wrongdoing appeared...

  • Tracking code injections at eBay, Booking.com, Amazon

  • Hijacked affiliate commissions

  • Redirected search queries

Still nothing that would tip off most users.

Phase 3 (Early 2024) --> Active Browser Control

The extensions escalated...

  • Search query harvesting

  • Redirection through trovi.com

  • Cookie collection

  • Behavioral tracking

Phase 4 (Mid-2024) --> Full Remote Code Execution (RCE)

This is where things went critical.

Five long-trusted Chrome extensions - including one called Clean Master - received an update that added...

  • Hourly polling of a command-and-control domain

  • Downloading of arbitrary JavaScript

  • Execution with full browser permissions

  • Encrypted exfiltration of browsing history

  • Full browser fingerprinting

  • Adversary-in-the-middle capabilities

  • Session hijacking

Some of these extensions had been trustworthy for YEARS.

And for Edge, several extensions - including WeTab (3M installs) and Infinity New Tab (650k installs) - remained active as of public disclosure.

Why This Attack Worked... The Real Failure Isn’t the Malware

The extension stores: Chrome Web Store and Microsoft Edge Add-ons - reviewed these extensions only when they were submitted.

Not after. Not ever.

Years later, a malicious developer (or a purchased developer account) simply pushed a poisoned update. And because browser extensions auto-update silently:

  • No warnings

  • No prompts

  • No user interaction

  • No alerts

The very mechanism designed to protect users became the delivery pipeline for spyware.

This is the same soft underbelly that enabled incidents such as:

  • The ColorZilla malware update

  • The Copyfish hijack

  • The User-Agent Switcher takeover

  • The Particle/Polyfill.io supply-chain backdoor

Browser extensions remain one of the most trusted but least monitored pieces of software people install.

Known Extensions Linked to ShadyPanda (Partial Public List)

The true list contains more than 145 extensions across Chrome and Edge - not all publicly catalogued yet.

Below are confirmed examples from public reporting:

Chrome

  • Clean Master - ~200,000 installs (Legitimate for years before turning malicious)

Microsoft Edge

  • WeTab 新标签页 (WeTab New Tab) – ~3 million installs

  • Infinity New Tab (Pro) – ~650,000 installs

Please Note: The above is not the full list. Koi Security reports the complete list contains 20 Chrome and 125 Edge extensions, but the full dataset is not yet available publicly.

How to Check if You’re Exposed

Step 1 - Audit your installed extensions

For Chrome --> chrome://extensions

For Edge--> edge://extensions

Look For ...

  • Wallpaper / new tab page extensions

  • Shopping assistants

  • “Productivity tool” extensions

  • Anything from unfamiliar publishers

  • Anything that hasn’t been updated in years then suddenly recently updated

  • Extensions with extremely high install counts but minimal or suspect reviews

Step 2 - Remove suspicious extensions immediately

If you see any of the above - or ANY extension you don’t absolutely trust - uninstall it.

Do NOT just disable it. Malicious extensions sometimes re-enable themselves.

Step 3 - Rotate all credentials

If you had ANY affected extension installed:

  • Change your passwords (start with email, banking, and work accounts)

  • Log out of all active sessions

  • Monitor for unauthorized activity

Browser-extension spyware can steal:

  • Cookies

  • Session tokens

  • Saved passwords

  • Autofill data

  • Search history

  • Private browsing details

Step 4 - Clear cookies and cached sessions

This forces fresh login tokens everywhere.

Step 5 - For Enterprises... Implement Strict Browser Controls Immediately!

For organizations, this incident is a wake-up call.

Implement:

  • Extension allow-lists (not block-lists)

  • Browser management via Intune/Google Workspace

  • Continuous review of extension update events

  • Network monitoring for suspicious extension-based traffic

  • Session-token hardening (shorter TTLs, device binding)

  • SSO everywhere possible

  • Strict cookie policies

Attackers are now targeting the browser with the same seriousness once reserved for the OS.

What Makes ShadyPanda Different from Normal Malware?

Three things...

1. Users didn't install malware - their browser “updated” into malware.

This bypasses 90% of user-awareness defenses.

2. The extensions were legitimate for years.

Not clones, not lookalikes - real tools that people trusted.

3. Silent backdoor delivery through trusted infrastructure.

The Chrome and Edge update pipelines may become the next frontier for supply-chain warfare.

Why You Should Care Even If You Were Not Affected...

If a seven-year supply chain attack can slip through every browser vendor’s defenses… what else is already sitting dormant?

This incident signals a new era...

Extensions are now a high-value attack vector. Sleepers can be activated at any time. Trust signals (featured, verified, popular) mean very little.

Browser security - for both consumers and enterprises - must evolve immediately.

The Browser Has Basically Become A New Operating System

Attackers go where the data is-->

  • Passwords

  • Tokens

  • Search history

  • Private messages

  • Browsing habits

  • Financial activity

  • Cloud console logins

  • MFA seeds

  • Cookies

  • Corporate credentials

All of it flows through your browser.

ShadyPanda proves one thing clearly:

Your browser is now one of your most vulnerable data assets, and a valuable target.

Audit your extensions today. Educate your teams. Harden your policies. And never assume that “Verified” means “Safe.”

The IP HighWay

Stay updated with the latest IT security news.

info@iphwy.com

© 2025. IPHwy LLC. All rights reserved.

Request Information
Advisory & Consulting Info
Join our Social Network