Browser Extensions Lurked for Years, Exposing Millions to Malware

Jessica Lyons reports in The Register how a seven-year campaign involving malicious browser extensions compromised millions of users of Google Chrome and Microsoft Edge, and revealed significant risks in extension marketplaces.

The group behind the campaign, identified by Koi researchers as ShadyPanda, employed long-term strategies to introduce trusted productivity tools. They then delivered malware-laden updates to unsuspecting users.

The incident illustrates how digital supply chains can be exploited, allowing attackers to conduct persistent surveillance and data exfiltration without triggering immediate detection.

The campaign’s background shows ShadyPanda publishing legitimate extensions that accumulated large user bases over several years, achieving Featured or Verified status with high install counts. Once the extensions were widely adopted, updates introduced remote-code-execution backdoors and spyware, which enabled full browser access and covert monitoring. 

Marketplaces such as the Chrome Web Store and Edge Add-on Store review submissions initially, but not continually for vet extensions. That creates a window for malicious behavior. Prior incidents in the sector, coupled with gaps in ongoing monitoring, enabled ShadyPanda to execute complex, multi-year attacks across millions of browsers.

The article details multiple active and inactive campaigns, including extensions such as Clean Master and WeTab, which collectively infected hundreds of thousands, perhaps millions, of users. These extensions harvested complete browsing histories, keystrokes, identifiers, and fingerprints, all of which were sent to data servers in China.

The malware included anti-analysis measures and could modify behavior when developer tools were opened. Some extensions monetized user activity through affiliate tracking and injected analytics.

Several of the identified extensions have been removed, but infrastructure remains in place. Extensions with millions of active installs continue to operate on Edge, leaving them vulnerable to further exploitation.

Legal teams should consider the implications of this case for data protection, vendor oversight, and liability associated with third-party software. They should advise client organizations to implement monitoring controls, evaluate incident response procedures to address persistent threats posed by seemingly trusted digital tools, and reassess the risks of deploying browser extensions. Regulatory scrutiny may extend to marketplace operators’ responsibilities for security oversight.