Browser Extension Risk Guide After The Shadypanda Campaign 2025

In early December 2025, security researchers exposed a cybercrime campaign that had quietly hijacked popular Chrome and Edge browser extensions on a massive scale.

A threat group dubbed ShadyPanda spent seven years playing the long game, publishing or acquiring harmless extensions, letting them run clean for years to build trust and gain millions of installs, then suddenly flipping them into malware via silent updates. In total, about 4.3 million users installed these once-legitimate add-ons, which suddenly went rogue with spyware and backdoor capabilities.

This tactic was essentially a browser extension supply-chain attack.

The ShadyPanda operators even earned featured and verified badges in the official Chrome Web Store and Microsoft Edge Add-ons site for some extensions, reinforcing user confidence. Because extension updates happen automatically in the background, the attackers were able to push out malicious code without users noticing a thing.

Once activated in mid-2024, the compromised extensions became a fully fledged remote code execution (RCE) framework inside the browser. They could download and run arbitrary JavaScript with full access to the browser's data and capabilities. This gave the attackers a range of spyware powers, from monitoring every URL and keystroke, to injecting malicious scripts into web pages, to exfiltrating browsing data and credentials.

In this case, millions of stolen session tokens could have led to unauthorized access to enterprise emails, files, chat messages, and more, all without triggering the usual security alarms. Traditional identity defenses like MFA were bypassed, because the browser session was already authenticated and the extension was piggybacking on it.

This blurs the line between endpoint security and cloud security. A malicious extension can be run on the user's device (an endpoint issue), but it directly compromises cloud accounts and data (an identity/SaaS issue). ShadyPanda vividly shows the need to bridge endpoint and SaaS identity defense: security teams should think about treating the browser as an extension of the SaaS attack surface.

So based on all of this, what can organizations do to reduce the risk of another ShadyPanda situation? Below is a practical guide with steps to tighten your defenses against malicious browser extensions.

Start by regaining control over which extensions can run in your environment. Conduct an audit of all extensions installed across the company's browsers (both

Source: The Hacker News