A seven-year Chrome spying campaign went unnoticed — 145 extensions, 4.3M victims 👾

Cliquez ici pour lire en français

For nearly seven years, a large-scale spyware operation quietly unfolded on Google Chrome and Microsoft Edge — without raising the slightest alarm. Behind the campaign: a criminal group known as ShadyPanda, which managed to turn 145 originally legitimate extensions into full-blown surveillance tools. In total, more than 4.3 million users had their browsing activity siphoned off while Google remained unaware.

Extensions that looked perfectly safe 🧩

According to researchers at Koi Security, the compromised extensions — first published in 2018 — showed no malicious behavior at launch. They were downloaded from official stores, Chrome Web Store and Edge Add-ons, often boasting tens of thousands of positive reviews and even Google’s “Verified” badge.

That slow-burn strategy paid off. By behaving normally for years, the extensions built trust with both users and platform moderators, cementing their reputation as safe tools.

Everything changes in 2023 ⚠️

Suspicious behavior finally surfaced in 2023, when developer accounts controlled by ShadyPanda pushed a highly targeted “switch-update.” This update introduced:

• a backdoor,
• an embedded spying module,
• large-scale data collection mechanisms.

The extensions suddenly became capable of harvesting:

• full browsing history,
• search queries,
• all clicked links,
• cookies,
• browser technical data.

All of this information was quietly exfiltrated to servers operated by the group.

Even worse, the attackers could inject malicious scripts into HTTPS pages — potentially capturing login credentials or manipulating search results to redirect users to booby-trapped sites.

Silent updates, invisible attacks 🔄

ShadyPanda relied on the standard auto-update system built into Chrome and Edge. These updates, downloaded silently in the background, rarely attract attention.

Researchers note that extension stores “mainly review the initial submission, but barely monitor subsequent updates” — a long-known weakness that ShadyPanda exploited with surgical precision.

A massive impact 🌐

Koi Security estimates that roughly 4.3 million people were affected by the operation.

“The actor learned how to game extension platforms. They built trust, accumulated loyal users, and then weaponized that trust through discreet updates,” the researchers summed up.

Among the compromised extensions were:

• Clean Master
• Speedtest Pro – Free Online
• Internet Speed Test
• BlockSite
• Address Bar Search Engine Switcher
• Infinity New Tab (multiple versions)
• Dream Afar New Tab
• OneTab Plus
• Download Manager Pro
• Halo 4K Wallpaper HD HomePage
• Galaxy Theme Wallpaper HD

Google moves fast, Microsoft lags behind 🛡️

After being alerted by Koi Security, Google quickly removed all malicious extensions from the Chrome Web Store. Microsoft, however, has been slower to react — with some compromised extensions reportedly still available on Edge Add-ons.

This long-running operation is a stark reminder that browser extensions, despite their innocuous appearance, remain a powerful attack vector. Security experts are urging Google and Microsoft to tighten update controls and more actively monitor the evolution of extensions that have already passed initial review.

👉🏾 Do you regularly clean up your browser extensions? Tell us in the comments.