...
...
Next Story

Are your browser extensions safe? 4 million users hit by malware - Here’s how to protect yourself

Millions of users have been affected by a spyware campaign that has hijacked popular browser extensions. Here’s how it works and how to stay safe.

Published on: Dec 04, 2025 10:39 AM IST

A long-running malware campaign has turned browser extensions on Chrome and Edge into spyware, affecting more than 4 million users, according to a report by Koi Security. The operation, known as ShadyPanda, used updates to legitimate extensions to introduce harmful features over time.

Millions of users unknowingly installed browser extensions that secretly collected data and turned into spyware over time. (Pexels)
Millions of users unknowingly installed browser extensions that secretly collected data and turned into spyware over time. (Pexels)

Ijaj Khan is a technology journalist and Senior Content Producer at Hindustan Times, with over three years of experience covering the consumer technology industry. His work spans smartphones, laptops, wearables, gaming, appliances and AI - from hands-on reviews, comparison and buying guides to breaking news and in-depth features that help readers cut through the noise and make informed decisions. Before joining HT Tech, he worked with Jagran New Media, where he sharpened his instincts for fast-paced digital reporting. He holds a Post Graduate Diploma in English Journalism and Mass Communication from the Indian Institute of Mass Communication (IIMC), Delhi. Whether he's testing the latest flagship smartphone, tracking a major AI announcement, or putting a gaming laptop through its paces, Ijaj approaches every story with the same goal - making technology feel relevant and easy to understand for everyday users, not just enthusiasts. When he's not in front of a screen for work, he's usually travelling to a new city, hunting for great food, or keeping tabs on what's next in tech before everyone else catches on.

Read moreRead less

Microsoft confirmed that it has removed all flagged extensions from the Edge Add-ons store. “When we find content that violates our policies, we remove it or end the publishing agreement,” a spokesperson said.

ShadyPanda involved 20 extensions on the Chrome Web Store and 125 on Edge. The first extensions appeared in 2018, but malicious behaviour did not emerge until 2023, when tools posing as wallpapers or productivity apps began injecting harmful code.

Also read: Spotify Wrapped 2025 live: Check your ‘Listening Age’, top artists, and yearly trends

The campaign operated through the browsers’ automatic update systems, silently delivering malware without phishing or social engineering. Koi Security explained that the updates turned trusted extensions into surveillance platforms.

How ShadyPanda Worked

The compromised extensions tracked user activity and monetised it. They injected tracking codes into links, redirected search queries, and collected browsing history, keystrokes, cookies, and other data. Some updates included backdoors that allowed remote code execution, giving attackers full access to the browser. This enabled monitoring of visited websites, credential theft, session hijacking, and other adversary-in-the-middle attacks. Extensions also masked their behaviour when users accessed developer tools.

While Google removed the extensions from the Chrome store, some remain on the Edge platform. One extension reportedly has over 3 million installs, though the numbers may be inflated.

Also read: Google plans major Gemini app update with focus on UX, macOS app coming next

How to Protect Yourself:

  1. Remove suspicious wallpaper or productivity extensions immediately. Notably affected extensions include Clean Master, WeTab, and Infinity V+.
  2. Reset passwords on all online accounts. Using a password manager can help generate strong, unique passwords.
  3. Install antivirus software with browser protection to detect malware, spyware, and unsafe websites.
  4. Limit the number of extensions and check reviews and permissions before installing new ones.

 
SHARE THIS ARTICLE ON