Analysis

Koi Security's report documents the ShadyPanda campaign converting trusted Chrome and Edge extensions into spyware that reached roughly 4.3 million users via 20 malicious Chrome add-ons and 125 Edge extensions. Many of these extensions first appeared around 2018 and, according to the report, received staged silent auto‑updates about five years later that changed benign tools into surveillance‑capable code. Once updated, the extensions injected tracking code into links, hijacked searches, and logged browsing history, cookies, keystrokes, fingerprints, local storage and mouse coordinates; researchers also identified a backdoor permitting hourly remote code execution. The operation enabled adversary‑in‑the‑middle attacks for credential theft and session hijacking and evaded detection by reverting to benign behavior when developer tools were opened; Google and Microsoft have removed the identified extensions from their stores. The incident highlights material third‑party supply‑chain and extension ecosystem risk for browser platform operators (GOOGL/GOOG, MSFT) and creates potential reputational and regulatory exposure for platforms and downstream enterprises. Immediate remediation steps called out in the article include extension audits/removals, password resets, endpoint controls and data‑removal services; investors should monitor remediation timelines, any regulatory inquiries, and the potential implications for security vendors and platform operating costs.