- ShadyPanda campaign turned 145 Chrome/Edge extensions malicious after years of normal use
- Updates added affiliate fraud, cookie theft, search hijacking, and remote code execution
- 4.3M devices at risk; Google removed extensions, Microsoft slower to respond
More than a hundred browser extensions spread across Google Chrome and Microsoft Edge browsers turned malicious after five years of “normal” operation. The attackers were apparently playing the long con game – building trust for years before pulling the trigger on unsuspecting victims. Apparently, around 4.3 million devices are at risk.
This is according to security researchers Koi Security, who discovered the campaign it later dubbed : ShadyPanda.
As per the report, the extensions started showing up on browser stores in 2018. They operated normally, offering users different features like wallpapers or productivity improvements. However, from 2023 onward, the extensions started getting updates which gradually introduced malicious capabilities.
Remote code execution and infostealing
In 2023, the attackers started with affiliate fraud, adding tracking codes from eBay, Amazon, Booking[.]com, and other sites, into legitimate links. That way, they were earning commission on users’ purchases without their knowledge, or consent.
This practice lasted for about a year before the attackers decided to take it a step further and steal session cookies, hijacking search engine results. Some of the extensions redirected search queries to different (dubious) search engines, some exfiltrated them to different subdomains, and some simply forwarded session cookies.
That same year, some of the extensions were also updated to include remote code execution (RCE) capabilities, effectively turning them into a backdoor.
Finally, in 2025, it’s last update allowed the attackers to steal all sorts of sensitive information, from complete browser histories to search queries and mouse click locations. They were also stealing browser fingerprints, page interaction analysis, access to localStorage, sessionStorage, and cookies.
The list of extensions is quite extensive. There are 125 of them for Edge, and 20 for Chrome. Google has reportedly already removed all that were hosted on its repository, while Microsoft seems to be lagging behind a bit. To check the full list of malicious extensions, make sure to read Koi Security’s full report here.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/RYP2wJu6BGAEqdebGitYKk-970-80.jpg
Source link
