- A threat actor named ShadyPanda conducted a seven-year browser extension campaign with over 4.3 million installations.
- Five extensions initially legitimate were altered in mid-2024 to execute malicious JavaScript hourly.
- Extensions collected encrypted browsing history, detailed browser fingerprints, and could perform man-in-the-middle attacks.
- A set of five other add-ons, including WeTab with three million installs, tracked user activity and sent data to servers in China.
- Users are advised to remove these extensions and change credentials due to risks from silent malicious updates via trusted update channels.
A group known as ShadyPanda has been tied to a persistent browser extension campaign spanning seven years, accumulating more than 4.3 million installs. In mid-2024, five extensions that previously operated legitimately were updated to run remote code execution, downloading and running arbitrary JavaScript with full browser control, according to a report by Malware-campaign”>Koi Security. These extensions have since been removed.
Security researcher Tuval Admoni explained that these extensions monitored every website visit, exfiltrated encrypted browsing histories, and captured complete browser fingerprints. One of the affected extensions, Clean Master, was once verified by Google, allowing the attackers to silently push malicious updates without drawing attention.
An additional five extensions, including WeTab which alone had three million downloads from the Microsoft Edge Addons store, were built to surveil users by recording URLs visited, search engine queries, mouse clicks, and transmitting this information to Chinese servers. These add-ons also tracked interaction details like time spent on pages and scrolling behavior.
Initial suspicious activity appeared in 2023, with around 20 extensions on Chrome and 125 on Edge published under developer names “nuggetsno15” and “rocket Zhang.” These extensions disguised themselves as wallpaper or productivity tools and conducted affiliate fraud by injecting tracking codes on sites like eBay, Booking.com, and Amazon to illicitly generate commission.
By early 2024, the campaign escalated to direct browser control, intercepting and redirecting searches, harvesting search data, and stealing cookies from targeted domains. The malicious updates introduced a backdoor communicating with the domain “api.extensionplay[.]com” to retrieve harmful JavaScript hourly.
The extensions sent collected data in encrypted form to a server at “api.cleanmasters[.]store” while also employing obfuscation techniques to evade detection. They switched behavior to benign mode if developer tools were accessed. These extensions also enabled adversary-in-the-middle (AitM) attacks, which can steal credentials, hijack sessions, and inject code into websites.
Users who installed any of the flagged extensions are strongly advised to uninstall them immediately and update their passwords due to the high risk of surveillance and credential theft. As stated in the report, “The auto-update mechanism – designed to keep users secure – became the attack vector”, allowing trusted marketplaces to inadvertently distribute malware through silent updates.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Intel Shares Rally Near $40 on Rumors of Apple M-Series Deal
- Seaport Reiterates Lone ‘Sell’ on Nvidia, Citing Accounting Concerns
- Strategy Cuts EPS Guidance 76%, $1.44B MSTR Dilution Sparks Shock
- Vitalik Warns Zcash Against Token Voting to Protect Privacy
- India mandates Sanchar Saathi app preloaded on all new phones
