Ethical Hacking News
Malicious browser extensions have infected millions of users with malware, including backdoors and spyware. The ShadyPanda campaign highlights a problem in the way browser extension marketplaces manage approved extensions, and emphasizes the need for more stringent monitoring and testing procedures to prevent similar attacks in the future.
Malicious browser extensions have infected millions of users with malware, including backdoors and spyware. The attackers, known as ShadyPanda, use legitimate-looking extensions to accumulate downloads and push malware-laden updates. 4.3 million Google Chrome and Microsoft Edge users have been infected with backdoors and spyware sending data to servers in China. The lack of oversight by browser extension marketplaces allows malicious actors to continue pushing malware-laden updates. Millions of users have been targeted since the ShadyPanda campaign began in 2018, with stolen data including cookies and keystrokes.
In recent months, a series of malicious browser extensions has been discovered that have infected millions of users with malware, including backdoors and spyware. The attackers, known as ShadyPanda, have used legitimate-looking extensions to accumulate thousands or sometimes millions of downloads over several years, only to push a malware-laden update across the entire user base.
The most recent discovery involves four malicious browser extensions that have infected 4.3 million Google Chrome and Microsoft Edge users with backdoors and spyware sending people's data to servers in China. The attackers have used various tactics to avoid detection, including publishing legitimate extensions, accumulating downloads over several years, and pushing updates at random intervals.
One of the most concerning aspects of this attack is that it highlights a problem in the way browser extension marketplaces manage approved extensions. According to Koi researchers, who tracked the ShadyPanda's activity, "they don't watch what happens after approval." This lack of oversight allows malicious actors to continue pushing malware-laden updates, putting users' data at risk.
The ShadyPanda campaign has been active since 2018 and has infected millions of users with its malware. The attackers have used various methods to steal user data, including injecting affiliate tracking codes and Google Analytics trackers onto websites visited by the user. They also exfiltrated cookies and logged users' keystrokes in search boxes.
The most recently discovered malicious extension, Clean Master, has been found to send all of this stolen data - every URL visited, HTTP referrers showing navigation patterns, timestamps for activity profiling, persistent UUID4 identifiers, and complete browser fingerprints - to ShadyPanda-controlled servers. The malware also contains anti-analysis capabilities and switches to benign behavior if a researcher opens developer tools.
The attack is particularly concerning because it highlights the vulnerabilities of popular browser extension marketplaces. According to Koi researchers, five extensions with more than 4 million installs are still live in the Edge marketplace, and two of these install spyware on users' machines. One of these five, WeTab, has three million installs and sends all of this data to 17 different domains - eight Baidu servers in China, seven WeTab servers in China, and Google Analytics.
The ShadyPanda campaign also highlights the need for more stringent monitoring and testing of browser extensions. According to Koi researchers, "the infrastructure for full-scale attacks remains deployed on all infected browsers." This suggests that even if the malware-laden updates have been removed from marketplaces, the underlying infrastructure still poses a threat.
In response to this attack, Microsoft has announced plans to improve its review process for approved extensions. The company will be increasing the frequency of reviews and implementing more rigorous testing procedures to ensure that malicious extensions are caught before they can cause harm.
Meanwhile, Google has confirmed that it screens every single update to extensions in the Chrome store, no matter how minor the change. This suggests that the company is taking a proactive approach to identifying and removing malicious extensions from its marketplace.
The ShadyPanda campaign serves as a reminder of the importance of staying vigilant when it comes to browser extension security. As users continue to download and install more and more extensions, it is essential that they take steps to protect their data and devices from these types of threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Malicious-Browser-Extensions-A-Stealthy-Threat-to-User-Privacy-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/12/01/chrome_edge_malicious_browser_extensions/
https://www.msn.com/en-us/news/technology/stealthy-browser-extensions-waited-years-before-infecting-43m-chrome-edge-users-with-backdoors-and-spyware/ar-AA1RviTP
https://cybernews.com/security/chrome-edge-hijacked-by-eighteen-malicious-extensions/
Published: Mon Dec 1 13:34:15 2025 by llama3.2 3B Q4_K_M
