We have another reason to be careful about the extensions that some of us add to web browsers to improve their capability. We’ve long known about evil-doing extensions that tech firms can quickly expose as carapaces for malware. Now researchers have discovered a type that functions with seeming legitimacy for years before springing its trap.
And guess where such extensions are sending their ill-gotten data (Koi, December 1, 2025)?
Koi researchers have identified a threat actor we’re calling ShadyPanda—responsible for a seven-year browser extension campaign that has infected 4.3 million Chrome and Edge users.
Our investigation uncovered two active operations.
A 300,000-user RCE [remote code execution] backdoor: Five extensions, including the “Featured” and “Verified” Clean Master, were weaponized in mid-2024 after years of legitimate operation. These extensions now run hourly remote code execution—downloading and executing arbitrary JavaScript with full browser access. They monitor every website visit, exfiltrate encrypted browsing history, and collect complete browser fingerprints.
A 4-million-user spyware operation: Five additional extensions from the same publisher, including WeTab with 3 million installs alone, are actively collecting every URL visited, search query, and mouse click—transmitting data to servers in China.
Some of ShadyPanda’s extensions were featured and verified by Google, granting instant trust and massive distribution. For seven years, this actor learned how to weaponize browser marketplaces— building trust, accumulating users, and striking through silent updates.
KOI’s post goes into some detail about how the extensions work, how they have evaded detection, where collected data gets sent, and what gets collected.
One extension, WeTab, “has 3 million installs alone and functions as a sophisticated surveillance platform disguised as a productivity tool.” It “exfiltrates extensive user data to 17 different domains (8 Baidu servers in China, 7 WeTab servers in China, and Google Analytics).”
WeTab collects and sends all browsing history, all search queries, “mouse click tracking with pixel-level precision,” browser fingerprints, page interactions, storage and cookie access….
The big problem: “Marketplaces review extensions at submission. They don’t watch what happens after approval…. And now every sophisticated threat actor knows the playbook.”
Maybe how browsers review extensions will start to change because of this kind of investigation. Meanwhile, users need to be extra-careful about adding extensions, treating them as guilty until proven innocent. Window Forum outlines how you can find and get rid of these extensions if any of the browsers you use are infected.
