top of page
perceptive_background_267k.jpg

A Browser Extension Risk Guide After the ShadyPanda Campaign

Published:

15 december 2025 om 11:55:00

Alert date:

15 december 2025 om 12:51:29

Source:

thehackernews.com

Click to open the original link from this advisory

Web Technologies, Supply Chain & Dependencies, Ransomware & Malware, Identity & Access, Data Breach & Exfiltration

In December 2025, researchers exposed the ShadyPanda cybercrime campaign that hijacked popular Chrome and Edge browser extensions on a massive scale. The threat group spent seven years building trust by publishing harmless extensions, allowing them to gain millions of installs before suddenly converting them into malicious tools. This long-term supply chain attack demonstrates sophisticated patience-based tactics where legitimate extensions were weaponized after establishing user trust over extended periods.

Technical details

ShadyPanda threat group conducted a 7-year supply-chain attack by publishing or acquiring legitimate Chrome and Edge browser extensions, maintaining them as clean for years to build trust and gain millions of installs, then pushing malicious updates silently. The compromised extensions became a remote code execution (RCE) framework inside browsers, capable of downloading and running arbitrary JavaScript with full browser access. Key capabilities included monitoring URLs and keystrokes, injecting malicious scripts into web pages, exfiltrating browsing data and credentials, stealing session cookies and authentication tokens, and impersonating entire SaaS accounts by hijacking session tokens. The extensions gained featured and verified badges in official stores and bypassed traditional MFA defenses by piggybacking on already authenticated browser sessions.

Mitigation steps:

1. Enforce extension allow lists and governance by auditing all installed extensions, removing unnecessary ones, requiring business justification for high-permission extensions, and using enterprise browser management tools. 2. Treat extension access like OAuth access by integrating extension oversight into IAM processes, mapping extension data access capabilities, configuring alerts for session hijacking signs, and managing extensions with same caution as other apps. 3. Audit extension permissions regularly by conducting quarterly reviews, checking permissions and ownership changes, monitoring publisher and update history, and watching for extensions requesting new permissions. 4. Monitor for suspicious extension behavior by implementing logging and analysis of extension activity, monitoring installations and updates, inspecting browser logs, restricting or staging extension updates, and educating employees to report unusual extension behavior. 5. Consider dynamic SaaS security platforms like Reco for unified visibility and real-time threat detection.

Affected products:

Google Chrome browser extensions
Microsoft Edge browser extensions
Chrome Web Store
Microsoft Edge Add-ons site
Microsoft 365
Google Workspace
Slack
Salesforce

Related links:

https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign
https://www.reco.ai/demo-request

Related CVE's:

Related threat actors:

IOC's:

Unusual network calls from extensions to unknown external domains, Extension files changing unexpectedly, Bizarre login patterns with OAuth tokens used from different locations, Access attempts bypassing MFA checks, Extensions suddenly requesting broader permissions, New UI changes, unexpected pop-ups, or performance issues in long-installed extensions

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page