4.3 million have installed this malicious browser extension on Chrome and Edge - here's how to check

1. Pro
2. Security

4.3 million have installed this malicious browser extension on Chrome and Edge - here's how to check News By Sead Fadilpašić published 2 December 2025

After five years, browser extensions turned malicious

Comments (0) ()

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Shutterstock)

• ShadyPanda campaign turned 145 Chrome/Edge extensions malicious after years of normal use
• Updates added affiliate fraud, cookie theft, search hijacking, and remote code execution
• 4.3M devices at risk; Google removed extensions, Microsoft slower to respond

More than a hundred browser extensions spread across Google Chrome and Microsoft Edge browsers turned malicious after five years of “normal” operation. The attackers were apparently playing the long con game - building trust for years before pulling the trigger on unsuspecting victims. Apparently, around 4.3 million devices are at risk.

This is according to security researchers Koi Security, who discovered the campaign it later dubbed : ShadyPanda.

As per the report, the extensions started showing up on browser stores in 2018. They operated normally, offering users different features like wallpapers or productivity improvements. However, from 2023 onward, the extensions started getting updates which gradually introduced malicious capabilities.

You may like

• Malicious free VPN extension makes a comeback
• Microsoft Edge gets a major security upgrade which should ease concerns for many users
• OpenAI's shiny new Atlas browser might have some serious security shortcomings - and it's not the only one under threat from dangerous spoof attacks

Remote code execution and infostealing

In 2023, the attackers started with affiliate fraud, adding tracking codes from eBay, Amazon, Booking[.]com, and other sites, into legitimate links. That way, they were earning commission on users’ purchases without their knowledge, or consent.

This practice lasted for about a year before the attackers decided to take it a step further and steal session cookies, hijacking search engine results. Some of the extensions redirected search queries to different (dubious) search engines, some exfiltrated them to different subdomains, and some simply forwarded session cookies.

That same year, some of the extensions were also updated to include remote code execution (RCE) capabilities, effectively turning them into a backdoor.

Finally, in 2025, it's last update allowed the attackers to steal all sorts of sensitive information, from complete browser histories to search queries and mouse click locations. They were also stealing browser fingerprints, page interaction analysis, access to localStorage, sessionStorage, and cookies.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

The list of extensions is quite extensive. There are 125 of them for Edge, and 20 for Chrome. Google has reportedly already removed all that were hosted on its repository, while Microsoft seems to be lagging behind a bit. To check the full list of malicious extensions, make sure to read Koi Security’s full report here.

Via BleepingComputer

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS Malware Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more Malicious free VPN extension makes a comeback    Microsoft Edge gets a major security upgrade which should ease concerns for many users    OpenAI's shiny new Atlas browser might have some serious security shortcomings - and it's not the only one under threat from dangerous spoof attacks    Malicious AI-made extension with ransomware capabilities sneaks on to Microsoft's official VS Code marketplace - so devs beware    VSCode market struck by huge influx of malicious WhiteCobra extensions - so be warned    Glassworm returns once again with a third round of VS code attacks    Latest in Security Glassworm returns once again with a third round of VS code attacks    107 Android flaws just got patched by Google - here's how to make sure you're up to date    Swiss government urges people to ditch Microsoft 365 and others due to lack of proper encryption    South Korean ecommerce giant Coupang suffers huge data breach - over 33 million accounts affected, here's what we know    Android malware Albiriox abuses 400+ financial apps in on-device fraud and screen manipulation attacks    Careful! That calendar notification could be loaded with malware - here's how to stay safe    Latest in News How to watch What is the Monachy for? on BBC iplayer (it's *FREE*)    Ex-engineer argues Microsoft must fix Windows 11 'until it doesn't suck'    Starting with The Witcher 4, CD Projekt Red CEO says the entire next Witcher trilogy starring Ciri is still expected to launch within a six year time frame    Google’s latest Android feature might let your boss read your RCS texts    YouTube launches its answer to Spotify Wrapped – here’s how get your Recap    4.3 million have installed this malicious browser extension on Chrome and Edge - here's how to check    LATEST ARTICLES

1. 14.3 million have installed this malicious browser extension on Chrome and Edge - here's how to check
2. 2 I tested the new Sony A7 V, and now it's my favorite Sony camera ever
3. 3Ex-engineer blasts Microsoft – argues it must fix Windows 11 'until it doesn't suck', never mind about AI
4. 4YouTube Recap is a fascinating review of your year in videos – here’s how to find it
5. 5Starting with The Witcher 4, CD Projekt Red CEO says the entire next Witcher trilogy starring Ciri is still expected to launch within a six year time frame