Back to articles

ShadyPanda: how to find browser extensions that turned malicious after you installed them

ShadyPanda ran 145 malicious extensions on Chrome and Edge for 6 years, from affiliate fraud to keylogging spyware with 4.3M installs. How to check yours.

Maxim Kosterin
8 min read

Here's a scenario that should concern you: you installed a shopping assistant or screenshot utility back in 2020. It worked fine. No strange pop-ups, no obvious slowdown. You forgot it was there. Then, sometime in the last year or two, it quietly became a keylogger — recording every keystroke you typed and sending it, along with your full browsing history, to servers in China.

That's not a hypothetical. That's what happened to roughly 4.3 million users of extensions in the ShadyPanda campaign, disclosed by Koi Security researchers and reported by BleepingComputer in March 2026. The extensions had been active since at least 2018. Six years of operations before formal disclosure.

What ShadyPanda was and how it worked

Koi Security researchers documented 145 malicious extensions across Chrome Web Store and Microsoft Edge Add-ons that accumulated 4.3 million installs — one Edge extension alone reached 3 million downloads. The campaign operated through four escalating phases, each more invasive than the last.

Phase 1 — Affiliate fraud: The extensions injected tracking codes during visits to eBay, Booking.com, Amazon, and similar shopping sites. Users saw nothing unusual. The operators collected referral commissions. Low risk of detection, steady revenue.

Phase 2 — Search hijacking: Extensions started redirecting search queries through trovi[.]com, a known adware domain. This is the first behavior most users might notice as "weird," but it's easy to rationalize as a network glitch.

Phase 3 — Remote code execution backdoor: The extensions installed backdoors that exfiltrated cookies and search data to attacker-controlled servers.

Phase 4 — Full spyware: The final evolution collected browsing history, search queries, keystrokes, mouse clicks, and full device fingerprint data. All of it sent to 17 Chinese domains.

The technical mechanism in Phase 4 is worth understanding. The backdoor contacted a command-and-control server (api.extensionplay[.]com) every hour to check for new instructions. If new JavaScript was available, the extension downloaded it and executed it with full browser API access. As Koi Security researchers described it, according to BleepingComputer: "Every hour, it checks api.extensionplay[.]com for new instructions, downloads arbitrary JavaScript, and executes it with full browser API access."

This is important: the malicious payload wasn't baked into the packaged extension file. It arrived dynamically, over the network, after installation. A static analysis of the extension's code might not catch it.

Google and Microsoft removed the identified extensions after Koi Security's disclosure, according to BleepingComputer. But removal doesn't reverse six years of data collection.

The Edge exposure you might not have thought about

Of the 145 extensions documented, 20 were on the Chrome Web Store. 125 were on Microsoft Edge Add-ons. That's roughly a 6:1 ratio in favor of Edge as the attack surface.

One Edge extension alone hit 3 million installs — the single largest individual distribution in the campaign. According to Koi Security's findings as reported by BleepingComputer, the Microsoft Edge Add-ons store had substantially higher exposure than Chrome's.

This matters if you're in an enterprise environment. Edge shipped as the default Chromium browser on Windows, and many corporate IT deployments kept it as the standard browser. Users in those environments may have had ShadyPanda extensions installed without ever making a conscious choice to install them — just following department browser standardization.

The extensions identified have since been removed, but if you've been using Edge and haven't reviewed your extension list recently, this is a good moment to do that.

Why you probably didn't notice anything wrong

The staged activation is the core of why this campaign ran for six years without triggering mass user complaints. Extensions don't launch as Phase 4 spyware on day one. They spend years building an install base as something innocuous. By the time keylogging capabilities activated, the extensions had been installed for years and felt like a normal part of the browser environment.

Browser extensions update silently by default. Chrome and Edge don't send you a notification when an extension you installed three years ago quietly updated and changed its behavior. You still see the same icon in your toolbar. The name is the same. There's no visual signal that the product you're running today is different from what you installed.

This is what I'd call the time-bomb problem: the extension you installed and stopped thinking about is more dangerous than the one you just added, because the old one has had time to evolve through multiple update cycles. You evaluated the permissions when you installed it. You didn't evaluate the version running today.

You can check whether any of your currently installed extensions appear in threat databases at catalog.extenshi.io, where Extenshi indexes known-malicious and high-risk extensions.

How to protect yourself

You can't assume "old and stable" equals "safe." ShadyPanda spent years looking exactly like a stable, legitimate extension. Here's what to actually do:

1. Do a full audit of your extension list right now

Open chrome://extensions/ or edge://extensions/ and scroll through everything. If you see an extension you don't recognize or haven't consciously used in six months, remove it. You don't lose much by removing something you forgot about. You might gain a lot.

Pay particular attention to extensions installed before 2023. That puts them squarely in the window when ShadyPanda was building its install base.

2. Flag anything with unusually broad permissions

Extensions that claim access to <all_urls> — meaning every website you visit — are high-risk unless the extension's core functionality genuinely requires it. A shopping deals extension doesn't need to read your webmail. A screenshot tool doesn't need to run on every page.

Cross-reference your high-permission extensions against Extenshi's extension catalog to see the permission breakdown and any flagged behaviors.

3. Look for extensions from developers with no public presence

ShadyPanda operated 145 extensions as a coordinated network. Many of those extensions would have had thin developer profiles — no linked GitHub, no public contact, no support history, no public website. If the developer behind an extension has zero accountability surface, that's a signal. Legitimate extension developers are usually findable.

4. Don't click through permission re-approval prompts

When an extension updates and requests new permissions, Chrome shows a re-approval dialog. This is your most important safety valve. If a screenshot utility you installed in 2021 suddenly wants permission to read clipboard data after an update, that's not normal. Stop. Read it. Reject the update if it doesn't make sense.

5. Apply the one-extension-per-function rule

Every extension you install expands your attack surface. If you have five shopping extensions doing variations of the same thing, you have five potential attack vectors. Pick one, remove the rest. The ShadyPanda operators relied on users not auditing accumulated installs.

What behavioral monitoring catches that static analysis doesn't

Static permission analysis — looking at what an extension declares in its manifest.json — doesn't catch the ShadyPanda attack pattern. The late-stage spyware capability was loaded dynamically from the C2 server, not packaged into the extension file. Any point-in-time static scan of the extension might look completely benign.

Catching this class of attack requires behavioral monitoring: watching what an extension does at runtime, not just what it declares. Does it make outbound network connections to domains unrelated to its stated purpose? Does it poll a remote server on an hourly schedule? Does it read form fields on pages where that behavior isn't justified by the extension's function?

Extenshi tracks behavioral signals alongside static permission data. If an extension in your browser is making suspicious network calls or accessing data it has no business touching, that's the kind of signal that shows up in behavioral analysis — not just a permission count.

Scan your extensions at catalog.extenshi.io to see which of your installed add-ons have elevated risk signals, both static and behavioral.

The pattern this fits into

ShadyPanda follows a threat model that's appeared multiple times now. A legitimate-looking extension builds an install base. The original developer sells the extension or an operator quietly purchases the developer's signing credentials. Malicious updates roll out. Users who installed the extension for a legitimate purpose have no reason to expect it changed.

The extension ownership transfer variant has been documented separately — QuickLens and ShotBird are recent examples. ShadyPanda operated differently (the same operator escalated capabilities internally rather than selling to a third party), but the end state is the same: an extension you trusted is running code you never agreed to.

This isn't a reason to avoid extensions entirely. Extensions are useful, and most of them are fine. It's a reason to treat your extension list like software you're actively maintaining, not a set-and-forget accumulation. Audit it. Remove what you don't use. Pay attention to updates. The extensions that have been there the longest deserve the most scrutiny.


This article is based on publicly available security research and news reporting. Extenshi does not independently verify all claims made by third-party researchers. References to specific companies or products reflect the findings of cited sources and do not constitute accusations of intentional wrongdoing. If you believe any information is inaccurate, please contact us at [email protected].

Related Articles