A multi-year malware campaign named ShadyPanda quietly turned seemingly harmless Chrome and Edge extensions into spyware that reached millions. Security researchers traced staged updates that slipped surveillance code into wallpaper and productivity add-ons, exposing browsing data, credentials, and persistent identifiers. Browser stores eventually removed the offending extensions after investigators documented the scheme and its widespread impact. This article walks through what happened, how the attack worked, and practical steps to check your browser extensions and limit exposure.
The operation affected roughly 4.3 million users who installed extensions that later received hidden malicious updates. Many of those add-ons first appeared as innocent tools like wallpaper changers and simple utilities before their behavior shifted years later. Attackers exploited the browsers’ trusted auto-update mechanisms to push the changes without any user action or obvious warning signs.
Once active, the compromised extensions injected tracking code into real links to collect affiliate revenue, hijacked searches and redirected queries, and logged a broad range of signals. Collected data included browsing history, search terms, cookies, keystrokes, fingerprinting details, local storage, and even mouse movement coordinates. Researchers also reported the introduction of a backdoor capable of hourly remote code execution, giving attackers deep browser access and the ability to exfiltrate persistent identifiers.
Beyond simple tracking, the extensions demonstrated the capability to mount adversary-in-the-middle attacks that could steal credentials, hijack sessions, and inject code into web pages. The malicious samples were careful to avoid detection: when developer tools were opened they switched to an inert mode so casual inspection would miss the malicious behavior. Google removed the malicious extensions from the Chrome Web Store and a spokesperson confirmed that none of the extensions listed are currently live on the platform.
Microsoft likewise took action to clear the Edge Add-ons store and stated their position firmly: “We have removed all the extensions identified as malicious on the Edge Add-on store. When we become aware of instances that violate our policies, we take appropriate action that includes, but is not limited to, the removal of prohibited content or termination of our publishing agreement.” These removals help, but they do not erase the data that was already siphoned off.
If you want to check your own browser, start by opening Chrome and visiting the extensions page. Look through each installed add-on, click Details, and note the Extension ID to compare with known bad identifiers. If you find a match, remove the extension right away and restart the browser to clear any lingering in-memory state.
Do the same for Edge by opening its extensions page and inspecting the details for each item. Record the Extension ID and remove anything suspicious or unknown, then restart the browser. Many of the offending tools were wallpaper or productivity extensions, including familiar names like Clean Master, WeTab, and Infinity V Plus, so delete anything with an unfamiliar or risky name and permissions.
After removing suspect extensions, change passwords for accounts you accessed while the spyware might have been active and enable two-factor authentication wherever possible. A password manager helps create and store strong, unique passwords so a breach of one account does not domino into others. Also scan your email addresses in breach-checking tools and update any reused credentials immediately.
Antivirus and endpoint tools may not have detected this campaign because of how updates were rolled out, but good security software still matters for blocking other threats and flagging suspicious behavior. Limit the number of extensions you install, stick to well-known developers, and be cautious when an extension requests broad permissions it does not need. Those small habits reduce the chance that a trusted add-on can silently morph into spyware and cause long-term exposure.
