Malicious browser extensions affect 4.3 million users

NEWNow you can listen to News articles!

Long-running malware campaign quietly evolved over several years and became reliable Chrome and Edge extensions in spyware. A detailed report by Koi Security reveals that the ShadyPanda operation affected 4.3 million users who downloaded extensions later updated with hidden malicious code.

These extensions started out as simple wallpapers or productivity tools that seemed harmless. Years later, silent updates added surveillance features that most users couldn’t detect.

Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.

THIS CHROME VPN EXTENSION SPIES ON YOU SECRETLY

Transfer Data from Old Laptop to New Laptop

Malicious extensions spread through trusted browsers and silently collect user data for years. (Kurt “CyberGuy” Knutsson)

How the ShadyPanda campaign developed

The operation included 20 malicious Chrome extensions and 125 in the Microsoft Edge add-on store. Many first appeared in 2018 with no obvious warning signs. Five years later, the extensions began receiving phased updates that changed their behavior.

Koi Security discovered that these updates were deployed through each browser’s trusty automatic update system. Users didn’t need to click anything. No phishing. No false alerts. Just silent versions that slowly turned secure extensions into powerful tracking tools.

NEW EMAIL SCAM USES HIDDEN CHARACTERS TO PASS FILTERS

A screenshot of WeTab in the Google Play store

WeTab works as a sophisticated surveillance platform disguised as a productivity tool. (Koi)

What extensions were doing behind the scenes

Once activated, the extensions injected tracking code into real links to earn revenue from users’ purchases. They also hijacked searches, redirected queries, and recorded data for sale and manipulation. ShadyPanda collected an unusually wide range of personal information, including browsing history, search terms, cookies, keystrokes, fingerprint data, local storage, and even mouse movement coordinates. As the extensions gained credibility in stores, attackers pushed a backdoor update that allowed hourly remote code execution. That gave them full control of the browser, allowing them to monitor visited websites and extract persistent identifiers.

The researchers also discovered that the extensions could launch man-in-the-middle adversary attacks. This allowed credential theft, session hijacking, and code injection into any website. If users opened developer tools, the extensions switched to harmless mode to avoid detection. Google removed the malicious extensions from the Chrome web store. We reached out to the company and a spokesperson confirmed that none of the listed extensions are currently available on the platform.

Meanwhile, a Microsoft spokesperson told CyberGuy: “We have removed all extensions identified as malicious in the Edge add-on store. When we become aware of cases that violate our policies, we take appropriate action including, but not limited to, removing prohibited content or terminating our publishing agreement.”

Most of you won’t need the full technical IDs used in the ShadyPanda campaign. These compromise indicators are primarily for security researchers and IT teams. Regular users should focus on checking the installed extensions by following the steps in the guide below.

You can review the full list of affected Chrome and Edge extensions to see each ID linked to the ShadyPanda campaign at by clicking here and scrolling down to the end of the page.

How to check if your browser contains these extension IDs

Below is a simple step-by-step way to check if any malicious extension IDs are installed.

For Google Chrome

Open Chrome.

Guy chrome://extensions in the address bar.

Press Get into.

Find each extension ID.

Click Details under any extension.

Scroll down to the Extension ID section.

Compare the identification with the previous lists.

If you find a match, Remove the extension immediately.

For Microsoft Edge

Open Edge.

Guy border://extensions in the address bar.

Press Get into.

Click Details below each extension.

Scroll to find the Extension ID.

If an ID appears in the lists, remove extension and restart the browser.

183 MILLION EMAIL PASSWORDS LEAKED: CHECK YOURS NOW

A few simple security steps can block hidden threats and help keep your browsing safer. (Kurt “CyberGuy” Knutsson)

How to protect your browser from malicious extensions

You can take some quick actions that will help you block your browser and protect your data.

1) Remove suspicious extensions

Before removing anything, check your installed extensions with the IDs listed in the previous section. Most of the malicious extensions were wallpapers or productivity tools. Three of the most mentioned are Clean Master, WeTab and Infinity V Plus. If you installed any of these or something similar, remove it now.

2) Reset your passwords

These extensions have access to sensitive data. Resetting your passwords protects you from possible misuse. A password manager makes the process easy and creates strong passwords for each account.

Next, check to see if your email has been exposed in previous breaches. Our #1 pick for password manager includes a built-in breach scanner that checks to see if your email address or passwords have appeared in known breaches. If you discover a match, immediately change any reused passwords and protect those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2025 at Cyberguy.com.

3) Use a data deletion service to reduce tracking.

ShadyPanda collected browsing activity, identifiers, and behavioral signals that can be compared to data brokers already have. A data removal service helps you take back your privacy by scanning people search sites and broker databases to locate your exposed information and delete it. This limits the amount of your digital footprint that can be linked, sold, or used for specific scams.

While no service can guarantee complete removal of your data from the Internet, a data deletion service is truly a smart choice. They are not cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to delete your personal data from the Internet. By limiting the information available, you reduce the risk of scammers cross-referencing leak data with information they can find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already available on the web: Cyberguy.com.

4) Install powerful antivirus software

An antivirus may not have detected this specific threat due to the way it works. Still, it can block other malware, scan for spyware, and flag unsafe sites. Many antivirus tools include cloud backup and VPN options to add more protection.

The best way to protect yourself from malicious links that install malware and potentially access your private information is to have powerful antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best antivirus protection winners of 2025 for your Windows, Mac, Android, and iOS devices at Cyberguy.com.

5) Limit your extensions

Each extension adds risk. Stick with well-known developers and look for recent reviews. If an extension asks for permissions it shouldn’t need, walk away.

CLICK HERE TO DOWNLOAD THE News APP

Kurt’s Key Takeaways

ShadyPanda ran for years without raising any alarms and showed how creative attackers can be. A trusted extension can become spyware through a silent update, making it even more important to be alert to changes in browser behavior. You protect yourself by installing fewer extensions, checking them from time to time, and watching for anything that seems out of place. Small steps help reduce your exposure and the chances that hidden code can track what you do online.

Have you ever found an extension on your browser that you didn’t remember installing or one that started acting strangely? How did you handle it? Let us know by writing to us at Cyberguy.com.

Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.

Kurt “CyberGuy” Knutsson is an award-winning technology journalist with a deep love for technology, gear and devices that improve lives with his contributions to News and News Business since mornings on “News & Friends.” Do you have any technical questions? Get Kurt’s free CyberGuy newsletter, share your voice, a story idea or comment on CyberGuy.com.

Breaking News

Trump Posts

An unmitigated disaster: Troops express fears as Trump expands war on Iran

ICE officers will soon help with airport security unless Democrats end shutdown, Trump says

World Cup teams finish base camps in US as host cities prepare for global crowds

Iowa scores decisive 3-pointer in final seconds to stun Florida

Maple Leafs goalie Anthony Stolarz hospitalized after puck hits throat in bizarre warm-up incident

Giants running back Cam Skattebo’s mother slams critics after player’s comments about CTE, asthma

Legendary sports agent Leigh Steinberg slams idea of Super Bowl abroad: ‘American Convention’

Crypto Industry’s Plan to Sink Hostile Democrats Backfires

St John’s sends Kansas packing with dramatic layup at buzzer in NCAA Tournament