A Browser Extension Risk Guide After the ShadyPanda Campaign
Summary:
In December 2025, security researchers exposed a sophisticated, long-running cybercrime campaign conducted by the threat actor ShadyPanda, which conducted a browser extension supply-chain attack that infected over 4.3 million Chrome and Edge users. The intricate campaign, which spanned seven years and evolved through four phases, exploited the core vulnerability of extension marketplaces: a focus on initial submission review with minimal monitoring after approval. ShadyPanda’s key tactic was publishing or acquiring harmless extensions, allowing them to run legitimately for years to build trust by earning Featured and Verified badges, and then suddenly push malicious code via automatic updates.
The most troublesome of the phases (Phase 3) involved five long-established extensions, including Clean Master (200,000+ installs), which were weaponized in mid-2024. These extensions ran a RCE framework on infected browsers that checks in hourly for new instructions, allowing the attackers to download and run arbitrary JavaScript with complete browser API access.
A massive 4-million-user spyware operation (Phase 4), centered on extensions like WeTab, remains active and is currently exfiltrating real-time browsing history and mouse-click data to servers in China. Although some malicious extensions were removed from marketplaces, the RCE infrastructure remains deployed on infected browsers, and the 4 million user spyware campaign is still live in the Microsoft Edge marketplace, posing an ongoing and scalable threat.
Security Officer Comments:
Because of the adversary’s success from investing significant time into staging and weaponizing extensions to steal authenticated session tokens, the MFA bypassable access the threat group achieved through the compromised browser session’s authentication may be intended for sale on the dark web or used to pivot directly to enterprise cloud accounts like Slack, Salesforce, M365, etc.
Drawing lessons from the ShadyPanda compromise, the following are some important defense strategies for your organization to adopt:
https://thehackernews.com/2025/12/a-browser-extension-risk-guide-after.html
https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign
In December 2025, security researchers exposed a sophisticated, long-running cybercrime campaign conducted by the threat actor ShadyPanda, which conducted a browser extension supply-chain attack that infected over 4.3 million Chrome and Edge users. The intricate campaign, which spanned seven years and evolved through four phases, exploited the core vulnerability of extension marketplaces: a focus on initial submission review with minimal monitoring after approval. ShadyPanda’s key tactic was publishing or acquiring harmless extensions, allowing them to run legitimately for years to build trust by earning Featured and Verified badges, and then suddenly push malicious code via automatic updates.
The most troublesome of the phases (Phase 3) involved five long-established extensions, including Clean Master (200,000+ installs), which were weaponized in mid-2024. These extensions ran a RCE framework on infected browsers that checks in hourly for new instructions, allowing the attackers to download and run arbitrary JavaScript with complete browser API access.
A massive 4-million-user spyware operation (Phase 4), centered on extensions like WeTab, remains active and is currently exfiltrating real-time browsing history and mouse-click data to servers in China. Although some malicious extensions were removed from marketplaces, the RCE infrastructure remains deployed on infected browsers, and the 4 million user spyware campaign is still live in the Microsoft Edge marketplace, posing an ongoing and scalable threat.
Security Officer Comments:
Because of the adversary’s success from investing significant time into staging and weaponizing extensions to steal authenticated session tokens, the MFA bypassable access the threat group achieved through the compromised browser session’s authentication may be intended for sale on the dark web or used to pivot directly to enterprise cloud accounts like Slack, Salesforce, M365, etc.
Drawing lessons from the ShadyPanda compromise, the following are some important defense strategies for your organization to adopt:
- Enforce Extension Allow Lists: Implement enterprise browser management tools to enforce a default-deny policy, allowing only vetted, approved extensions. Require a business justification for any extension needing broad permissions (e.g., ability to read all website data). Treat all extensions as guilty until proven innocent.
- Integrate Extension Oversight with IAM: Treat browser extension access similarly to third-party OAuth application access. Map out the specific SaaS data or actions an extension can touch, particularly its ability to read cookies and session tokens.
- Monitor for Session Hijacking Indicators: Configure identity security tools to alert on signs of session hijacking, such as an authenticated session token being used from geographically disparate locations or access attempts that bypass expected MFA challenges.
- Conduct Regular Permission Audits: Periodically inventory all extensions and their permissions. Watch for red flags like a sudden request for broader permissions, changes in developer/ownership, or new unauthorized network communication.
- Monitor Extension Behavior for Silent Compromise: Log and analyze extension activity, including installation, update events, and unusual network communication with external domains. Educate employees to report unexpected behavioral changes in long-installed, previously trusted extensions.
https://thehackernews.com/2025/12/a-browser-extension-risk-guide-after.html
https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign