4.3 million have installed this malicious browser extension on Chrome and Edge - here's how to check

News
By published

After five years, browser extensions turned malicious

HTTPS in a browser address bar
(Image credit: Shutterstock)
  • ShadyPanda campaign turned 145 Chrome/Edge extensions malicious after years of normal use
  • Updates added affiliate fraud, cookie theft, search hijacking, and remote code execution
  • 4.3M devices at risk; Google removed extensions, Microsoft slower to respond

More than a hundred browser extensions spread across Google Chrome and Microsoft Edge browsers turned malicious after five years of “normal” operation. The attackers were apparently playing the long con game - building trust for years before pulling the trigger on unsuspecting victims. Apparently, around 4.3 million devices are at risk.

This is according to security researchers Koi Security, who discovered the campaign it later dubbed : ShadyPanda.

As per the report, the extensions started showing up on browser stores in 2018. They operated normally, offering users different features like wallpapers or productivity improvements. However, from 2023 onward, the extensions started getting updates which gradually introduced malicious capabilities.

Remote code execution and infostealing

In 2023, the attackers started with affiliate fraud, adding tracking codes from eBay, Amazon, Booking[.]com, and other sites, into legitimate links. That way, they were earning commission on users’ purchases without their knowledge, or consent.

This practice lasted for about a year before the attackers decided to take it a step further and steal session cookies, hijacking search engine results. Some of the extensions redirected search queries to different (dubious) search engines, some exfiltrated them to different subdomains, and some simply forwarded session cookies.

That same year, some of the extensions were also updated to include remote code execution (RCE) capabilities, effectively turning them into a backdoor.

Finally, in 2025, it's last update allowed the attackers to steal all sorts of sensitive information, from complete browser histories to search queries and mouse click locations. They were also stealing browser fingerprints, page interaction analysis, access to localStorage, sessionStorage, and cookies.

The list of extensions is quite extensive. There are 125 of them for Edge, and 20 for Chrome. Google has reportedly already removed all that were hosted on its repository, while Microsoft seems to be lagging behind a bit. To check the full list of malicious extensions, make sure to read Koi Security’s full report here.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.