In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
Fuel your business brain. No caffeine needed.
Consider this your wake-up call.
Morning Brew}} is the free daily newsletter that powers you up with business news you’ll actually enjoy reading. It’s already trusted by over 4 million people who like their news with a bit more personality, pizazz — and a few games thrown in. Some even come for the crosswords and quizzes, but leave knowing more about the business world than they expected.
Quick, witty, and delivered first thing in the morning, Morning Brew takes less time to read than brewing your coffee — and gives your business brain the boost it needs to stay sharp and in the know.
ShadyPanda’s Browser Extension Backdoor: 4 Million Users Exposed
A long-running threat actor known as ShadyPanda has spent seven years quietly planting and weaponizing browser extensions across the Chrome and Edge ecosystems. More than 100 malicious extensions and over 4 million downloads later, investigators have uncovered an extensive operation that evolved from affiliate fraud to full remote code execution inside users’ browsers.
Context
Browser extensions operate with elevated access to web pages, cookies, storage, and browsing activity. When abused, they provide a near-perfect avenue for surveillance, credential theft, and persistent command execution—without triggering traditional endpoint defenses.
ShadyPanda leveraged this trust, publishing benign extensions, earning “Featured” and “Verified” badges, then weaponizing them through updates.
What Happened
Koi Security reports that ShadyPanda has been uploading extensions since at least 2018, maintaining legitimacy long enough to accrue installs across Chrome and Microsoft Edge.
Beginning in 2023, the group launched affiliate-fraud extensions that injected hidden tracking codes into visits to Amazon, eBay, and Booking.com. In 2024, they pivoted toward behavior profiling, browser hijacking, and eventually full backdoor capabilities.
Some malicious extensions remained available for download at the time of reporting.
Technical Breakdown
ShadyPanda’s extensions performed several malicious actions:
Silent affiliate code injection to siphon commissions
GA-based behavioral analytics capturing every page, query, and click
Cookie harvesting and transmission to attacker-controlled servers
Search hijacking through trovi.com
Real-time interest profiling from search bar inputs
Remote Code Execution (RCE) via an hourly update check-in
Full browser API access, enabling unrestricted JavaScript execution
Data exfiltration including URLs, referrers, timestamps, UUIDs, and browser fingerprints
WeTab New Tab Page—one extension with 3M+ installs—sent data to 17 remote domains.
Impact Analysis
The threat actor effectively built a browser-wide surveillance and control platform, turning trusted extensions into long-term footholds. Because extension updates occur silently and automatically, users often remained unaware after the extensions were weaponized.
The ability to execute arbitrary JavaScript with full browser permissions represents a high-severity supply chain compromise with potential for credential theft, targeted espionage, or monetization operations.
Why It Matters
Browser extensions bridge personal, corporate, and cloud environments. When abused:
Identity, session, and cookie theft becomes trivial
Corporate SaaS accounts can be compromised
Users lose visibility into malicious updates
Supply chain vulnerabilities spread across entire user populations
ShadyPanda demonstrates how attackers can exploit legitimate trust signals and marketplace verification.
Expert Commentary
Koi Security emphasized:
“This is not a single-purpose malware. It’s a backdoor. ShadyPanda decides what it does—today it’s data collection, tomorrow it could be credential theft or ransomware.”
Google confirmed the malicious extensions have since been removed.
Key Takeaways
Browser extensions are high-value supply chain targets.
Marketplace verification cannot prevent post-install weaponization.
Hourly remote command execution is functionally equivalent to a persistent backdoor.
Organizations must audit browser extensions within enterprise fleets.
Remove or block “Infinity V+,” “Clean Master,” and “WeTab New Tab Page” immediately.