We have another reason to be careful about the extensions that some of us add to web browsers to improve their capability. Weโve long known about evil-doing extensions that tech firms can quickly expose as carapaces for malware. Now researchers have discovered a type that functions with seeming legitimacy for years before springing its trap.
And guess where such extensions are sending their ill-gotten data (Koi, December 1, 2025)?
Koi researchers have identified a threat actor weโre calling ShadyPandaโresponsible for a seven-year browser extension campaign that has infected 4.3 million Chrome and Edge users.
Our investigation uncovered two active operations.
A 300,000-user RCE [remote code execution] backdoor: Five extensions, including the โFeaturedโ and โVerifiedโ Clean Master, were weaponized in mid-2024 after years of legitimate operation. These extensions now run hourly remote code executionโdownloading and executing arbitrary JavaScript with full browser access. They monitor every website visit, exfiltrate encrypted browsing history, and collect complete browser fingerprints.
A 4-million-user spyware operation: Five additional extensions from the same publisher, including WeTab with 3 million installs alone, are actively collecting every URL visited, search query, and mouse clickโtransmitting data to servers in China.
Some of ShadyPandaโs extensions were featured and verified by Google, granting instant trust and massive distribution. For seven years, this actor learned how to weaponize browser marketplacesโ building trust, accumulating users, and striking through silent updates.
KOIโs post goes into some detail about how the extensions work, how they have evaded detection, where collected data gets sent, and what gets collected.
One extension, WeTab, โhas 3 million installs alone and functions as a sophisticated surveillance platform disguised as a productivity tool.โ It โexfiltrates extensive user data to 17 different domains (8 Baidu servers in China, 7 WeTab servers in China, and Google Analytics).โ
WeTab collects and sends all browsing history, all search queries, โmouse click tracking with pixel-level precision,โ browser fingerprints, page interactions, storage and cookie access….
The big problem: โMarketplaces review extensions at submission. They donโt watch what happens after approval…. And now every sophisticated threat actor knows the playbook.โ
Maybe how browsers review extensions will start to change because of this kind of investigation. Meanwhile, users need to be extra-careful about adding extensions, treating them as guilty until proven innocent. Window Forum outlines how you can find and get rid of these extensions if any of the browsers you use are infected.
