A malicious browser extension campaign, dubbed ShadyPanda by researchers Koi, has infected over 4.3 million Google Chrome and Microsoft Edge users with malware, including backdoors and spyware. The attackers published legitimate extensions that accumulated thousands of downloads over several years before pushing a malware-laden update that auto-updated across the entire user base.
Five extensions with more than 4 million installs are still live in the Microsoft Edge store, and researchers say two campaigns are still active. One campaign infected 300,000 users with a remote-code-execution enabling backdoor, while another campaign redirected every user’s search to a browser hijacking website, exfiltrating cookies and logging keystrokes.
The malware, which allows complete browser surveillance, sends stolen data to servers in China and contains anti-analysis capabilities to evade detection. Some extensions have been removed from both marketplaces, but the infrastructure for full-scale attacks remains deployed on all infected browsers.
Source: https://www.theregister.com/2025/12/01/chrome_edge_malicious_browser_extensions