ShadyPanda malware campaign turned Chrome and Edge extensions into spyware
NEWYou can now listen to Fox News articles!
A long-running malware campaign evolved quietly over several years and became reliable Chrome and Edge extensions in spyware. A detailed report from Koi Security reveals that Operation ShadyPanda affected 4.3 million users who downloaded extensions later updated with hidden malicious code.
These extensions started out as simple wallpapers or productivity tools that seemed harmless. Years later, silent updates added monitoring features that most users couldn’t detect.
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive offers straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM bulletin.
THIS CHROME VPN EXTENSION SECRETLY SPYS ON YOU
Malicious extensions spread through trusted browsers and quietly collect user data for years. (Kurt “CyberGuy” Knutsson)
How the ShadyPanda campaign went
The operation included 20 malicious Chrome extensions and 125 on the Microsoft Edge add-ons store. Many first appeared in 2018 without any obvious warning signs. Five years later, the extensions began receiving rolling updates that changed their behavior.
Koi Security found that these updates were deployed through each browser’s reliable automatic update system. Users didn’t need to click on anything. No phishing. No false alarms. Just quiet version changes that slowly transformed secure extensions into powerful tracking tools.
NEW EMAIL SCAM USES HIDDEN CHARACTERS TO PASS FILTERS
WeTab functions as a sophisticated monitoring platform disguised as a productivity tool. (Koi)
What Extensions Did Behind the Scenes
Once activated, the extensions injected tracking code into real links to generate revenue from user purchases. They also hijacked searches, redirected queries, and recorded data for sales and manipulation purposes. ShadyPanda collected an unusually wide range of personal information, including browsing history, search terms, cookies, keystrokes, fingerprint data, local storage, and even mouse movement coordinates. As the extensions gained credibility in stores, the attackers pushed a backdoor update that enabled remote code execution every hour. This gave them full control over the browser, allowing them to monitor visited websites and exfiltrate persistent identifiers.
Researchers also found that extensions could launch adversary attacks in the middle. This enabled credential theft, session hijacking, and code injection on any website. If users opened developer tools, the extensions would go into harmless mode to avoid detection. Google removed the malicious extensions from the Chrome Web Store. We contacted the company and a spokesperson confirmed that none of the extensions listed are currently available on the platform.
Meanwhile, a Microsoft spokesperson told CyberGuy: “We have removed all extensions identified as malicious on the Edge add-ons store. When we become aware of cases that violate our policies, we take appropriate action which includes, but is not limited to, removing the prohibited content or terminating our publishing agreement.
Most of you will not need the full technical credentials used in the ShadyPanda campaign. These indicators of compromise are primarily aimed at security researchers and IT teams. Regular users should focus on checking your installed extensions by following the steps in the guide below.
You can view the full list of affected Chrome and Edge extensions to see each ID linked to the ShadyPanda campaign by by clicking here and scrolling to the bottom of the page.
How to check if your browser contains these extension identifiers
Here’s a simple, step-by-step way to check if you have malicious extension IDs installed.
For Google Chrome
Open Chromium.
Type chrome://extensions in the address bar.
Press Enter.
Search for each extension IDENTIFIER.
Click Details under any extension.
Scroll to Post ID section.
Compare the ID with the lists above.
If you find a match, remove the extension immediately.
For Microsoft Edge
Open Edge.
Type edge://extensions in the address bar.
Press Enter.
Click Details under each extension.
Scroll to find the Post ID.
If an identifier appears in the lists, remove extension And restart the browser.
183 MILLION EMAIL PASSWORDS LEAKED: CHECK YOURS NOW
Simple security measures can block hidden threats and help ensure safer browsing. (Kurt “CyberGuy” Knutsson)
How to protect your browser from malicious extensions
You can take a few quick actions to lock your browser and protect your data.
1) Remove suspicious extensions
Before removing anything, check your installed extensions against the IDs listed in the section above. Most of the malicious extensions were wallpapers or productivity tools. Three of the most mentioned are Clean Master, WeTab and Infinity V Plus. If you have one of these or something similar installed, remove it now.
2) Reset your passwords
These extensions have access to sensitive data. Resetting your passwords protects you from possible misuse. A password manager makes the process easier and creates strong passwords for each account.
Next, check to see if your email has been exposed in past breaches. Our #1 choice for password manager includes a built-in breach scanner that checks to see if your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.
Discover the Best Expert-Rated Password Managers of 2025 at Cyberguy.com.
3) Use a data deletion service to reduce tracking
ShadyPanda collected browsing activity, identifiers and behavioral signals which can be matched with data already held by brokers. A data removal service helps you reclaim your privacy by scanning people search sites and broker databases to locate your exposed information and delete it. This limits how much of your digital footprint can be linked to, sold, or used for targeted scams.
Although no service can guarantee the complete removal of your data from the Internet, a data deletion service is definitely a wise choice. They’re not cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information across hundreds of websites. This is what gives me peace of mind and has proven to be the most effective way to erase your personal data from the Internet. By limiting the information available, you reduce the risk of fraudsters cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.
Check out my top picks for data deletion services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com.
Get a free analysis to find out if your personal information is already available on the web: Cyberguy.com.
4) Install powerful antivirus software
An antivirus may not have detected this specific threat because of the way it works. Still, it can block other malware, scan for spyware, and report dangerous sites. Many antivirus tools include cloud backup and VPN options to add more protection.
The best way to protect yourself from malicious links that install malware, potentially accessing your private information, is to install powerful antivirus software on all your devices. This protection can also alert you to phishing emails and ransomware scams, protecting your personal information and digital assets.
Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android, and iOS devices at Cyberguy.com.
5) Limit your extensions
Every extension adds risk. Stick to well-known developers and look for recent reviews. If an extension asks for permissions it shouldn’t need, stay away.
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
Kurt’s Key Takeaways
ShadyPanda worked for years without raising alarms and proved how creative attackers can be. A trustworthy extension can turn into spyware via a silent update, making it even more important to stay alert to changes in browser behavior. You protect yourself by installing fewer extensions, checking them from time to time, and keeping an eye out for anything that looks out of place. Small steps help reduce your exposure and reduce the chances that hidden code can track what you do online.
Have you ever found an extension on your browser that you don’t remember installing or that started acting strange? How did you manage this? Let us know by writing to us at Cyberguy.com.
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive offers straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM bulletin.
Copyright 2025 CyberGuy.com. All rights reserved.
