In early December 2025, security researchers exposed a cybercrime campaign that had quietly hijacked popular Chrome and Edge browser extensions on a massive scale.
A threat group dubbed ShadyPanda spent seven years playing the long game, publishing or acquiring harmless extensions, letting them run clean for years to build trust and gain millions of installs, then suddenly flipping them into malware via silent updates. In total, about 4.3 million users installed these once-legitimate add-ons, which suddenly went rogue with spyware and backdoor capabilities.
This tactic was essentially a browser extension supply-chain attack.
The ShadyPanda operators even earned featured and verified badges in the official Chrome Web Store and Microsoft Edge Add-ons site for some extensions, reinforcing user confidence. Because extension updates happen automatically in the background, the attackers were able to push out malicious code without users noticing a thing.
Once activated in mid-2024, the compromised extensions became a fully fledged remote code execution (RCE) framework inside the browser. They could download and run arbitrary JavaScript with full access to the browser’s data and capabilities. This gave the attackers a range of spyware powers, from monitoring every URL and keystroke, to injecting malicious scripts into web pages, to exfiltrating browsing data and credentials.
One of the worst capabilities was session cookie and token theft, stealing the authentication tokens that websites use to keep users logged in. The extensions could even impersonate entire SaaS accounts (like Microsoft 365 or Google Workspace) by hijacking those session tokens.
Why Browser Extensions Are a SaaS Security Nightmare
For SaaS security teams, ShadyPanda’s campaign shows us a lot. It proved that a malicious browser extension can effectively become an intruder with keys to your company’s SaaS kingdom. If an extension grabs a user’s session cookie or token, it can unlock that user’s accounts in Slack, Salesforce, or any other web service they’re logged into.
In this case, millions of stolen session tokens could have led to unauthorized access to enterprise emails, files, chat messages, and more, all without triggering the usual security alarms. Traditional identity defenses like MFA were bypassed, because the browser session was already authenticated and the extension was piggybacking on it.
The risk extends beyond just the individual user. Many organizations allow employees to install browser extensions freely, without the scrutiny applied to other software. Browser extensions often slip through without oversight, yet they can access cookies, local storage, cloud auth sessions, active web content, and file downloads.
This blurs the line between endpoint security and cloud security. A malicious extension can be run on the user’s device (an endpoint issue), but it directly compromises cloud accounts and data (an identity/SaaS issue). ShadyPanda vividly shows the need to…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
