News of yet another malicious extension making the rounds might feel like background noise at this point. But this one deserves your attention. Security researchers at Koi Security recently uncovered a long-running campaign, now known as ShadyPanda, that quietly infected 4.3 million devices and stole data via more than 100 seemingly harmless browser extensions on both Chrome and Edge.
These extensions weren’t sloppy attempts or obvious scams. First introduced in the Chrome Web Store and Microsoft Edge Add-ons marketplace in 2018, the extensions did precisely what they promised, racked up glowing reviews, and flew entirely under the radar, lulling users into a false sense of security.
The attackers played the longest con in malware history: build trust, get millions of installs, then flip the switch.
How Simple Browser Extensions Became a Security Risk
According to the report, these extensions looked completely normal on the surface. They offered things that every user has downloaded at some point, such as wallpapers, productivity tools, note-taking add-ons, and similar convenience features.
Nothing seemed off at first, but sometime in 2023, updates quietly introduced malicious behavior, putting millions of people in real danger. Once an extension is plugged into your browser, it can access a lot, including your web activity, login pages, and the online tools your employees use daily. The extensions developed malware and spyware capabilities to infiltrate businesses and steal data.
What makes ShadyPanda especially concerning is that it wasn’t a rushed smash-and-grab attack. It was a patient infiltration. Once users (and entire organizations) had installed the extensions, a simple update was all it took to activate harmful features from within.
What the Malicious Extension Actually Did
While each extension behaved differently, the malicious capabilities centered on one thing: data harvesting. The researchers say many were designed to:
- Track browsing activity
- Capture search queries
- Monitor business web apps
- Redirect users to harmful pages
- Inject unwanted ads or scripts
In short, the malicious extensions are a direct security risk to businesses that rely on their browsers for daily operations.
Red Flags Your Extensions Might Be Part of ShadyPanda and How To Fix the Problem
If your team uses Chrome or Edge, you may have some of these extensions installed without your knowledge. Some of the signs of a potential problem include:
- Auto-updates on extensions installed before 2020
- Sudden permission requests to “read and change all your data on all websites.”
- Changes in the developer’s name in the last two years
- Over 100,000 installs, but reviews stopped around 2022
It’s worth reviewing all the extensions your team has and removing any unfamiliar ones. Moving forward, require employees to get an IT sign-off before installing tools. Your company's security platform can also automatically scan and monitor extensions to ensure they’re safe.
The Takeaway for Business Owners
ShadyPanda isn’t just a personal security risk; it’s a full-blown business nightmare dressed up as a productivity add-on. Attackers are getting patient, subtle, and more creative, and something that you’ve used for years could be a malicious extension. Double-check your extensions today and stay on top of what your team uses to avoid trouble.
