ShadyPanda hijacks Chrome, Edge extensions; 4.3M hit
Cyber firm Koi Security reported that a long-running “ShadyPanda” campaign turned benign Chrome and Edge extensions into spyware via trusted auto-updates, impacting 4.3 million users. Google and Microsoft said they have removed all identified malicious extensions from their stores; the add-ons, some dating to 2018, later received updates enabling data theft, search hijacking, and remote code execution.
📌 Key Facts
- Impact: 4.3 million users affected across 20 Chrome and 125 Edge extensions
- Tactics: benign extensions from 2018 received staged auto-updates years later to add spyware and hourly RCE backdoors
- Response: Google and Microsoft confirmed removal of all identified malicious extensions from their web stores
📊 Relevant Data
The ShadyPanda threat actor is a likely China-based cybercriminal group that orchestrated a seven-year browser extension malware operation.
ShadyPanda's Seven-Year Operation Built a Browser Extension Spy Empire — HivePro
Between July 2020 and February 2023, over 346 million users installed browser extensions with dangerous permissions that could potentially lead to data breaches.
280 Million Google Chrome Users Installed Dangerous Extensions, Study Says — Forbes
In 2025, researchers identified an additional 18 malicious Chrome extensions affecting 14.2 million users, demonstrating the ongoing prevalence of such threats.
Spin.AI Research Finds 18 Malicious Extensions Impacting 14.2M Users — Spin.AI
More than half (54%) of browser extensions are published anonymously, and 79% of publishers have only released one extension, increasing the risk of malicious activities due to challenges in trust assessment.
Browser extensions are increasing the attack surface, putting employees and businesses at risk — TechRadar