ShadyPanda malware campaign turned Chrome and Edge extensions into spyware

by
ShadyPanda malware campaign turned Chrome and Edge extensions into spyware

NEWNow you can listen to Fox News articles!

A long-running malware campaign quietly developed over several years and became credible Chrome and Edge extensions into spyware. A detailed report from Koi Security shows that Operation ShadyPanda affected 4.3 million users who downloaded extensions that were later updated with hidden malicious code.

These extensions started out as simple wallpapers or productivity tools that looked harmless. Over the years, automatic updates have added surveillance features that most users were unable to discover.

Subscribe to my FREE CyberGuy Report
Get my best tech tips, breaking security alerts, and exclusive offers straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.

THIS VPN EXTENSION FOR Chrome SECRETLY SPIES ON YOU

Malicious extensions spread through trusted browsers and quietly collected user data for years. (Kurt “CyberGuy” Knutsson)

How the ShadyPanda campaign evolved

The operation included 20 malicious Chrome extensions and 125 in the Microsoft Edge add-on store. Many of them first appeared in 2018 without obvious warning signs. Five years later, extensions began receiving incremental updates that changed their behavior.

Koi Security discovered that these updates are distributed through each browser's robust automatic update system. Users didn't have to click anything. No phishing. No false alerts. Just quiet version changes that gradually turned secure extensions into powerful tracking tools.

NEW EMAIL SCAM USES HIDDEN SYMBOLS TO PASS FILTERS

Screenshot of WeTab in the Google Play store

WeTab functions as a sophisticated monitoring platform disguised as a productivity tool. (Koi)

What extensions did behind the scenes

Once activated, the extensions embedded tracking code in real links to generate revenue from user purchases. They also intercepted search queries, redirected queries, and recorded data for sale and manipulation. ShadyPanda collected an unusually wide range of personal information, including browsing history, search terms, cookies, keystrokes, fingerprint data, local storage, and even mouse coordinates. Once the extensions gained credibility in stores, the attackers released a backdoor update that allowed hourly remote code execution. This gave them complete control over the browser, allowing them to track visited websites and extract persistent identifiers.

The researchers also found that extensions can launch man-in-the-middle attacks. This allowed for credential theft, session hijacking, and code injection on any website. If users opened developer tools, extensions were put into harmless mode to avoid detection. Google deleted malicious extensions from the Chrome Web Store. We contacted the company and a spokesperson confirmed that none of the listed extensions are currently running on the platform.

Meanwhile, a Microsoft spokesperson told CyberGuy: “We have removed all extensions identified as malicious in the Edge Add-ons Store. When we become aware of incidents that violate our policies, we take appropriate action, which includes, but is not limited to, removing prohibited content or terminating our publishing agreement.”

Most of you won't need the full technical IDs used in the ShadyPanda campaign. These indicators of compromise are primarily intended for security researchers and IT teams. Regular users should focus on checking their installed extensions by following the steps in the guide below.

You can view the full list of affected Chrome and Edge extensions to see each ID associated with the ShadyPanda campaign. click here and scroll down the page.

How to check if your browser contains these extension IDs

Here's a simple, step-by-step way to check if any malicious extension IDs are installed.

For Google Chrome

Open Chromium.

Type chrome://extensions to the address bar.

Press Enter.

Find every extension IDENTIFIER.

Click Details under any extension.

Scroll down to Extension ID chapter.

Compare the ID with the lists above.

If you find a match, remove the extension immediately.

For Microsoft Edge

Open Edge.

Type edge://extensions to the address bar.

Press Enter.

Click Details under each extension.

Scroll to find Extension ID.

If the ID appears in the lists, remove extension And restart your browser.

183 Million Email Passwords Leaked: Check Yours Now

man typing

Simple security measures can block hidden threats and keep your browsing safe. (Kurt “CyberGuy” Knutsson)

How to protect your browser from malicious extensions

There are a few quick steps you can take to help you block your browser and protect your data.

1) Remove suspicious extensions.

Before deleting anything, check the installed extensions using the IDs listed in the section above. Most of the malicious extensions were wallpapers or productivity tools. Three of the most mentioned are Clean Master, WeTab and Infinity V Plus. If you have installed any of these or anything similar, remove them now.

2) Reset your passwords

These extensions have access to sensitive data. Resetting your passwords will protect you from possible abuse. A password manager simplifies the process and creates strong passwords for each account.

Next, check to see if your email has been compromised in past hacks. Our #1 best password manager includes a built-in breach scanner that checks to see if your email address or passwords have appeared in known breaches. If you find a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

Check out the best password managers of 2025, reviewed by experts, at Cyberguy.com.

3) Use a data removal service to reduce tracking.

ShadyPanda has collected browsing activity, IDs, and behavioral signals that can be matched with data brokers already have. The Data Removal Service helps you restore your privacy by scanning people search sites and broker databases to find exposed information and remove it. This limits how much of your digital footprint can be linked, sold, or used for targeted fraud.

While no service can guarantee complete removal of your data from the internet, a data removal service is indeed a smart choice. They don't come cheap, and neither does your privacy. These services do all the work for you, actively monitoring and systematically removing your personal information from hundreds of websites. This is what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk that scammers will link leaked data to information they can find on the dark web, making it harder for them to target you.

Check out my top data removal services and get a free scan to see if your personal information has already been published online by visiting Cyberguy.com.

Get a free scan to see if your personal information has already been published online: Cyberguy.com.

4) Install powerful antivirus software.

The antivirus may not have detected this particular threat due to the way it works. However, it can block other malware, scan for spyware, and flag unsafe sites. Many antivirus tools include cloud backup and VPN options for added protection.

The best way to protect yourself from malicious links that install malware and potentially access your personal information is to install powerful antivirus software on all your devices. This protection can also alert you to phishing emails and ransomware, keeping your personal information and digital assets safe.

Get my picks for 2025's top antivirus protection winners for your Windows, Mac, Android, and iOS devices at Cyberguy.com.

5) Limit your extensions

Every expansion adds risk. Stick with established developers and look for recent reviews. If an extension asks for permissions it doesn't need, walk away.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Kurt's key takeaways

ShadyPanda operated without raising an alarm for years and proved how creative attackers can be. A trusted extension can turn into spyware as a result of automatic updates, making it even more important to constantly monitor changes in browser behavior. You protect yourself by installing fewer extensions, checking them from time to time, and watching for anything that seems out of place. Small steps can help reduce your exposure and reduce the likelihood that hidden code can track your online activities.

Have you ever found an extension on your browser that you don't remember installing, or an extension that started behaving strangely? How did you deal with this? Let us know by writing to us at Cyberguy.com.

Subscribe to my FREE CyberGuy Report
Get my best tech tips, breaking security alerts, and exclusive offers straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.

Copyright CyberGuy.com 2025. All rights reserved.

Kurt “CyberGuy” Knutsson is an award-winning tech journalist with a deep love of technology, gear and gadgets that make lives better through his reporting for Fox News and FOX Business, starting with the morning programs “FOX & Friends.” Have a technical question? Get Kurt's free CyberGuy newsletter, share your voice, story idea, or leave a comment on CyberGuy.com.

Leave a Comment

About Us

Orva Insight provides global news on crypto, online money-making, sports (cricket, football, soccer, baseball), live streaming, and premium courses. Stay updated with breaking news, analysis, and insights.

Follow US

PH +1 206 531 3331

24 M Drive
East Hampton, NY 11937

© 2025 INFO

PRIVACY POLICY terms of service