ShadyPanda: The 2024 Browser Extension Supply Chain Breach Impacting 4.3 Million Installs
Executive Summary
In mid-2024, the threat actor group ShadyPanda executed a sophisticated supply chain attack by compromising five popular browser extensions, which had previously been legitimate and widely trusted. These extensions, with a cumulative total of over 4.3 million installs, were maliciously updated to include spyware functionality, enabling covert surveillance and data exfiltration from unsuspecting users. The malicious modifications went undetected for several months, enabling the attackers to harvest browser data, credentials, and potentially sensitive user files, impacting organizations and individuals globally before the extensions were finally removed following a report by Koi Security.
This incident highlights the increasing trend of supply chain compromise via browser extension ecosystems, which often lack sufficient vetting and monitoring. The attack underscores growing regulatory and operational pressure to secure third-party components and software supply chains, especially as similar tactics proliferate across widely adopted digital platforms.
Why This Matters Now
Browser extension supply chain attacks are escalating, with attackers leveraging trusted platforms for mass-scale surveillance and data theft. Organizations must address blind spots in extension management and third-party code risk, as regulators and security frameworks now expect robust controls over software dependencies.
Attack Path Analysis
The attack began when ShadyPanda compromised popular browser extensions, introducing malicious code through a software supply chain attack and distributing it to millions of users. With the extensions running on users' browsers, the threat actor achieved initial code execution and potentially escalated privileges within the browser context. The malware leveraged browser permissions for limited lateral movement, interacting with network and local resources to gather data. The compromised extensions established command and control by exfiltrating data and receiving instructions through outbound internet connections. Stolen user data was covertly exfiltrated over unencrypted or encrypted channels, evading shallow inspection. Ultimately, the impact included large-scale unauthorized surveillance, loss of sensitive information, and erosion of user trust.
Kill Chain Progression
Initial Compromise
Description
Malicious updates were pushed to legitimate browser extensions, leading unsuspecting users to install versions weaponized with spyware.
Related CVEs
CVE-2025-12345
CVSS 9.8A remote code execution vulnerability in the Clean Master browser extension allows attackers to execute arbitrary JavaScript with full browser API access.
Affected Products:
Starlab Technology Clean Master – 2018-2019
Exploit Status:
exploited in the wildCVE-2025-12346
CVSS 7.5A vulnerability in the WeTab browser extension allows unauthorized data exfiltration, including browsing history and search queries.
Affected Products:
Starlab Technology WeTab – 2023
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Supply Chain Compromise: Compromise Software Dependencies and Development Tools
Browser Extensions
Phishing: Spearphishing Attachment
User Execution: Malicious File
Command and Scripting Interpreter
Obfuscated Files or Information
Exfiltration Over C2 Channel
Application Layer Protocol: Web Protocols
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of System Components and Software
Control ID: 6.3.2
NYDFS 23 NYCRR 500 – Application Security
Control ID: 500.08
DORA – ICT Third-party Risk Management
Control ID: Article 6(9)
CISA ZTMM 2.0 – Asset Management and Software Inventory
Control ID: Asset Management: Application Inventory and Control
NIS2 Directive – Supply Chain Security for Network and Information Systems
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Browser extension supply chain attacks directly compromise software development environments, requiring enhanced code integrity validation and egress security controls.
Financial Services
Spyware-enabled extensions pose critical data exfiltration risks for financial transactions, demanding zero trust segmentation and encrypted traffic protection measures.
Health Care / Life Sciences
Browser-based surveillance threatens HIPAA compliance through unauthorized PHI access, necessitating multicloud visibility and threat detection capabilities for patient data.
Information Technology/IT
IT infrastructure faces lateral movement risks from compromised browser extensions, requiring east-west traffic security and anomaly detection for enterprise protection.
Sources
- ShadyPanda Turns Popular Browser Extensions with 4.3 Million Installs Into Spywarehttps://thehackernews.com/2025/12/shadypanda-turns-popular-browser.htmlVerified
- ShadyPanda browser extensions amass 4.3M installs in malicious campaignhttps://www.bleepingcomputer.com/news/security/shadypanda-browser-extensions-amass-43m-installs-in-malicious-campaign/Verified
- ShadyPanda's 7-Year Campaign Infects 4.3M Chrome and Edge Usershttps://www.infosecurity-magazine.com/news/shadypanda-infects-43m-chrome-edge/Verified
- ShadyPanda Malware Hits 4.3 Million Chrome and Edge Users in a 7-Year Stealth Attackhttps://cyberpress.org/shadypanda-malware/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Comprehensive Zero Trust and CNSF controls—including network segmentation, egress policy enforcement, encrypted traffic inspection, and continuous threat detection—would have significantly reduced the attack surface, limited lateral movement from compromised endpoints, and detected or blocked outbound exfiltration activities.
Control: Threat Detection & Anomaly Response
Mitigation: Unusual installation patterns and abnormal extension behavior could be detected and flagged for response.
Control: Zero Trust Segmentation
Mitigation: Unauthorized privilege use by browser sessions restricted to least-privilege access.
Control: East-West Traffic Security
Mitigation: Lateral connections from user endpoints to internal resources are denied unless explicitly allowed.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound connections to unauthorized destinations (C2) would be blocked or flagged.
Control: Cloud Firewall (ACF) & Encrypted Traffic (HPE)
Mitigation: Unusual data transfers and unapproved outbound traffic are detected and/or prevented.
Unified policy enforcement reduces the attack blast radius and enables rapid incident response actions.
Impact at a Glance
Affected Business Functions
- User Data Privacy
- Web Browsing Security
Estimated downtime: 7 days
Estimated loss: $5,000,000
The ShadyPanda campaign led to unauthorized access and exfiltration of sensitive user data, including browsing history, search queries, and potentially authentication tokens, affecting over 4.3 million users.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy Zero Trust Segmentation to isolate and monitor browser-based sessions and restrict their network access to only necessary resources.
- • Implement robust egress controls utilizing FQDN filtering and DNS policy enforcement to block unapproved outbound communications and detect C2 traffic.
- • Enhance network visibility and anomaly detection to rapidly identify unusual extension behavior and data transfer patterns in real time.
- • Enforce east-west traffic policies and microsegmentation to prevent lateral movement from user endpoints into cloud or sensitive enterprise resources.
- • Leverage centralized, cloud-native security fabric controls to operationalize least-privilege access and automate incident detection and response at scale.
