When news broke that more than 4.3 million Chrome and Edge browsers had been quietly hijacked through malicious extensions, the cybersecurity community took notice. It wasn’t just the scale of the incident—it was the stealth. These extensions weren’t shady add-ons from obscure sites. They were popular, helpful tools that people trusted.
Everyone worries about software supply-chain attacks—but browser extensions often slip through with little scrutiny.
ShadyPanda is the name researchers use for a threat group with indicators suggesting a connection to China, though attribution remains unconfirmed. The group is accused of running a long-term browser-extension supply-chain campaign: cre…
When news broke that more than 4.3 million Chrome and Edge browsers had been quietly hijacked through malicious extensions, the cybersecurity community took notice. It wasn’t just the scale of the incident—it was the stealth. These extensions weren’t shady add-ons from obscure sites. They were popular, helpful tools that people trusted.
Everyone worries about software supply-chain attacks—but browser extensions often slip through with little scrutiny.
ShadyPanda is the name researchers use for a threat group with indicators suggesting a connection to China, though attribution remains unconfirmed. The group is accused of running a long-term browser-extension supply-chain campaign: creating or acquiring legitimate extensions, letting them operate safely long enough to earn trust, and eventually weaponizing them to infiltrate millions of user environments.
Whether you’re part of a security team, IT staff, identity operations, or risk management, this campaign reveals a sobering truth: browser extensions are software—and they are part of your supply chain.
A Multi-Year “Sleeper” Campaign Hidden in Plain Sight
Public reporting suggests that the earliest versions of the compromised extensions appeared in browser stores as far back as 2018–2019. While precise dates vary by extension, the pattern is clear: these tools spent years building trust before turning malicious.
“These extensions started off literally as harmless utilities for years,” said Matt Durrin, director of training for LMG Security, during a recent Cyberside Chats episode.
Phase 1: Building Trust (starting around 2018–2019)
ShadyPanda-associated developers released (or later purchased) legitimate extensions:
-
Custom new-tab pages
-
Wallpaper and theme add-ons
-
Tab managers
-
PDF converters
-
Cleanup utilities such as Clean Master
They functioned exactly as advertised and sometimes even earned “Featured” recognition in official browser stores.
Phase 2: Preparing the Infrastructure (2021–2022)
Behind the scenes, attackers established resilient infrastructure—rotating domains, cloud-based payload delivery, and TLS-secured connections designed to blend in with normal traffic. As Sherri Davidoff noted in the episode, the presence of a lock icon “doesn’t mean it’s safe—it means your information is secure when it’s going to the attacker.”
Phase 3: Subtle Behavior Changes (2023)
In 2023, the threat actors quietly updated several extensions with new code that introduced small revenue-generating behaviors—like affiliate manipulation and analytics collection—serving as an early test of their control pipeline.
These minor shifts were low-noise enough to avoid user suspicion and bypass enterprise detections.
Phase 4: Full Activation (2024–2025)
Then the operation escalated.
Silent auto-updates delivered through Chrome and Edge’s built-in extension update mechanisms transformed select extensions into full-fledged spyware with capabilities including:
-
Remote code execution (RCE)
-
Session cookie and token theft
-
Microsoft 365 and Google Workspace impersonation
-
Device fingerprinting
-
Real-time browsing surveillance
-
Malicious JavaScript injection into trusted pages
Once session tokens were stolen, attackers could bypass MFA and conditional access. As Matt put it, “They can now basically masquerade as you… that means access to your enterprise email, SharePoint, OneDrive, Teams.”
It had the potential to enable identity compromise at massive scale.
Why ShadyPanda Worked—And Why This Vector Will Persist
ShadyPanda didn’t succeed by luck—its campaign exploited long-standing gaps in how organizations manage browser extensions.
**1. Browser Extensions Aren’t Governed Like Other Software. **Organizations rigorously review SaaS apps and endpoint tools—but browser extensions often slip through without oversight. Yet they can access:
-
Cookies
-
Local storage
-
Cloud authentication sessions
-
Active webpage content
-
File downloads
**2. Auto-Updates Make Malicious Changes Invisible. **Browsers update extensions silently in the background. A trusted extension can instantly become malicious—with no prompt or warning.
**3. Trust Signals Were Weaponized. **Years of positive reviews, high install counts, and “Featured” badges built credibility that attackers later exploited.
**4. Personal Chrome Sync Spreads Risk into the Enterprise. **If users log into their personal Google account on a corporate device, Chrome may sync all personal extensions—including malicious ones—into the enterprise environment.
**5. EDR Tools Don’t See Inside Browser-Native Attacks. **Attacks inside trusted browser processes (e.g., chrome.exe) evade many traditional endpoint detection tools.
Five Steps Every Organization Should Take Now
What practical steps can organizations take to reduce their risk from malicious extensions?
**1. Audit and Restrict Browser Extensions Across the Enterprise. **Organizations should begin by inventorying all extensions installed across managed devices and removing anything unnecessary, outdated, high-risk, or unknown. Enforcing allowlists through Chrome Enterprise, Microsoft Edge enterprise policies, or MDM solutions helps ensure only approved extensions run in your environment. For additional guidance on improving your software governance footprint, see LMG’s Top Security Controls.
**2. Treat Extensions as Part of Your Software Supply Chain. **Security teams should evaluate browser extensions with the same rigor applied to other third-party software. That includes reviewing ownership, monitoring for changes in maintainers, assessing requested permissions, and understanding how updates are distributed. Treating extensions as a supply-chain component helps close the oversight gap that attackers can exploit.
**3. Watch for Session Hijacking and Token Abuse. **Because malicious extensions can steal session tokens, identity systems must be tuned to detect unusual patterns such as unexpected token reuse, MFA bypasses, impossible travel, or unfamiliar authentication flows. Monitoring and alerting around these behaviors is critical. Slack’s blog on “Catching Compromised Cookies” is also great background reading.
**4. Enforce Enterprise Browser Governance Policies. **Organizations should enforce policies that prevent personal Google account syncing on corporate devices, separate work and personal browsing profiles, and enable remote removal of unsafe extensions. Using enterprise policy frameworks—like Microsoft Edge’s governance controls—helps ensure consistent management.
**5. Train Users on Modern Browser Threats. **Finally, employees should understand the risks associated with browser extensions, including silent auto-updates and personal Chrome sync. Clear, practical training helps users avoid risky behavior and makes it easier for security teams to enforce extension policies. LMG’s Security Awareness Training provides targeted education for modern threats.
Conclusion: Don’t Let an Extension Become Your Weakest Link
ShadyPanda demonstrated that attackers don’t need zero-days to infiltrate millions of systems. They just need patience, trust, and an overlooked extension ecosystem.
Now is the time to strengthen extension governance, harden identity protections, and close the browser blind spot.
If your team wants help auditing your extension risks or strengthening your cloud identity defenses, contact our LMG Security team).