Malicious extensions sometimes end up in the Chrome Web Store (and similar libraries in other browsers) posing as legitimate add-ons. They are especially difficult to detect if they are initially harmless and only turn into malware after gaining the user's trust.
Here's what happened to a number of extensions in Google Chrome and Microsoft Edge: Koi Security researchers identified add-ons in both browsers that had been running legitimately for several years before receiving malicious updates that allowed hackers to spy on users and collect and steal sensitive data. The scheme, known as ShadyPanda, has reached four million downloads and is still active on Edge.
The attackers organized similar campaign targeting Firefox earlier this year: they received approval for innocuous extensions that imitated popular crypto wallets, amassed downloads and positive reviews, and then injected malicious code into the add-ons that could log form input fields, which they used to access and steal crypto assets.
Browser extensions can become bad
As Koi Security notes, ShadyPanda started out as an affiliate scam, with 145 extensions across two browsers masquerading as wallpapers and productivity apps. The initial phase involved introducing affiliate tracking codes and paying commissions for clicks on eBay, Amazon and Booking.com, before moving on to hijacking and manipulating search results, before launching five extensions in 2018 that were later converted into malware.
These add-ons have been marked as “Recommended” and “Tested” in Chrome, and one of them, a cache cleaner known as Clean Master, has a rating of 4.8 based on thousands of reviews. The extensions were updated in 2024 to run malware that could check hourly for new instructions and maintain full browser access by transmitting information to ShadyPanda's servers. (They have since been removed from Chrome.)
In 2023, hackers launched five more extensions for Edge, including WeTab. Two of them are complex spyware, and all of them were still active at the time of Koi's report.
What are your thoughts so far?
How to Find Malicious Extensions in Chrome and Edge
Unfortunately, malicious extensions usually pretend to be something else, so a quick visual check of installed extensions may not reveal the problem. In this case, Koi Security has list of extension IDs related to the ShadyPanda campaign, and you will have to look for them one by one.
In Chrome, enter chrome://extensions/ in the address bar and click Enter. Turn on Developer Mode in the top right corner to display the IDs of installed extensions. From here you can copy and paste each ID into the search bar (Ctrl+F on your computer or Cmd+F on your Mac). If there are no results, your browser is safe. If you find a malicious add-on, click the button Delete button. In Edge, follow the same process as edge://extensions/.
While this campaign shows that extensions can be used as weapons long after they're installed, you should still Follow the best practices for checking browser add-ons just like apps for your device. Check the name carefully, as fraudulent extensions often have names almost identical to those of reputable ones. Check the description for red flags such as spelling errors and unrelated images. If you see a lot of positive reviews for a new extension in a short period of time, or it seems like they're looking at something completely different, proceed with caution. You can also do more research, such as searching Google or Reddit, to make sure the extension is legit.
