Web browsers are massive, in many ways becoming a new operating system we use to access data, watch videos, and manage professional services. Following that, browser extensions have quietly become one of the most overlooked risks in enterprise security. And as the recent revelations about the campaign make clear, attackers increasingly understand that the easiest way into an organization might be through the small, trusted extensions that users install without a second thought.

This article breaks down what happened, why it matters, and why organizations subject to security frameworks need to treat browser extensions as a first-class part of their threat models.

 

A Seven-Year Campaign Hidden in Plain Sight

The ShadyPanda campaign, revealed by researchers at Koi Security, is one of the most significant browser–extension–based espionage and data-harvesting operations uncovered to date. With more than 4.3 million compromised installations across Chrome and Edge combined, this campaign demonstrates just how powerful malicious extensions can be… and how much damage they can cause when left unchecked.

What makes ShadyPanda so alarming isn’t just the number of installs or its longevity. It’s the sophistication of the evolution. Many malicious extension campaigns operate for weeks or months before they’re pulled down. ShadyPanda’s operators built theirs to last through multiple stages, each designed to increase their access and stealth gradually.

The campaign unfolded in four major phases:

 

Phase 1: Affiliate Fraud Disguised as Utility Extensions

The earliest extensions in the campaign promised new wallpapers, tab customization, productivity helpers, and minor visual enhancements… nothing out of the ordinary. 

Following that, their initial behavior was relatively benign: they injected affiliate-tracking codes into major marketplaces such as Amazon, eBay, and Booking.com. Because this kind of injection isn’t rare, it allowed attackers to earn quiet, ongoing commission revenue without raising alarms.

More importantly, users saw no overt malicious behavior. The extensions delivered on their advertised functionality. Positive reviews accumulated. And the extension ecosystem, where “verified” means “safe,” continued to approve updates without suspicion.

 

Phase 2: Search Hijacking and User Tracking

By early 2024, the campaign had shifted. Extensions like Infinity V+ began forcibly redirecting users’ search queries to domains such as “trovi” a known adware ecosystem. The extensions also began quietly collecting cookies, keystrokes, browsing histories, and site interactions.

This phase marked the beginning of proper surveillance. While not yet full-fledged spyware, these capabilities allowed attackers to map user behavior, track authentication, build user profiles, and collect credentials. 

 

Phase 3: Remote Code Execution via Auto-Update

The most dangerous phase arrived in mid-2024, when a subset of previously trusted extensions received an update that turned them into remote code–execution platforms. Using the browser’s own permissions system, these extensions contacted a command-and-control server every hour and downloaded arbitrary JavaScript payloads.

This gave attackers the ability to inject code, steal cookies, launch man-in-the-middle attacks, modify web pages regardless of domain, and capture user data at the browser level. r

Crucially, this was all made possible by a feature most users never think twice about: automatic updates. A once-benign extension can become a surveillance tool overnight, and the user would never know.

 

Phase 4: Large-Scale Surveillance Focused on Microsoft Edge

As Chrome began removing flagged extensions, ShadyPanda’s operators shifted their foothold to the Microsoft Edge Add-ons store. Five extensions remained active, totaling around four million installations.

Edge users were silently subjected to aggressive data harvesting of browser histories, credentials, and cookies. All of this was transmitted to remote servers, many of which were hosted in China, with almost no visibility for end users.

 

Why Browser Extension Attacks Are So Dangerous for Organizations

Browser extensions are a privacy violation for everyday users. For enterprises, however, it’s a massive data exposure and a supply chain compromise at the user interface layer, potentially affecting hundreds or thousands of employees.

Malicious browser extensions sit at the perfect vantage point to observe the exact activity most organizations consider sensitive or mission-critical. In many cases, browser sessions are the gateway to everything the user does, bypassing the security measures on nearly any site they visit. No zero-trust portal, encryption, or identity management system will help if an extension can read the DOM, view injected scripts, or capture cookies.

What makes this particularly problematic is how extensions bypass traditional security expectations:

• Trusted but Unaudited: Extensions often undergo a one-time review at listing, not at update. This gives attackers a long window to introduce malicious code after gaining initial approval. 
• Invisible to Most Endpoint Security Tools: Unless a security agent is specifically configured to monitor browser behavior, many endpoint tools don’t detect malicious activity inside the browser sandbox. 
• Users Install Them Freely: Even highly trained employees often treat browser extensions as harmless. Productivity-minded teams install them at high rates. 
• Enterprise Browsers Still Allow Broad Permissions: The permission model behind Chrome and Edge is powerful, but also permissive. Many extensions request “access to all websites,” which gives them wide-reaching control once installed.

 

Browser Extensions and Compliance Framework Guidance

Organizations governed by major compliance frameworks already emphasize endpoint security, access control, audit logging, and least privilege. Browser extensions live in a dangerous gray zone across these spaces. Include the fact that they are served through app stores with questionable governance, and it’s readily apparent that they are a problem for compliance. 

Browser extensions cross boundaries in uncomfortable ways:

• CMMC: Extensions can exfiltrate controlled unclassified information (CUI), violate AC.L1.3 requirements, bypass audit/monitoring controls, and compromise MFA tokens tied to identity providers. 
• FedRAMP: Unmonitored browser extensions create risk to cloud system boundary protections, session integrity (SI-10), and authentication mechanisms. 
• HIPAA: Any patient information accessed during a browser session can be intercepted, leading to unauthorized exposure of PHI. 
• ISO 27001: Extension misuse violates least privilege, supplier trust, and secure configuration requirements for user endpoints.

In other words, malicious extensions create direct compliance violations—even if the organization’s core systems are secure.

 

What Security Teams Should Do Now

ShadyPanda is the proof in the wild we needed to recognize that browser extensions represent a massive gap in 2026 and beyond. Organizations need to treat browser extension security with the same seriousness as patching or identity management. Practical steps include:

• Establish a Strict Browser Extension Policy: Move from a “no restrictions unless necessary” mindset to an “allowlist-only” model. Only extensions vetted, signed, and monitored by IT should be available. 
• Disable or Restrict Auto-Updates for Non-approved Extensions: This reduces the risk of legitimate extensions becoming malicious through silent updates. 
• Use Enterprise Browser Management Tools: Chrome Enterprise, Edge Enterprise, and managed browser platforms allow administrators to disable risky permissions. You’ll need to take these threats seriously and prioritize extension management in your compliance strategy.  
• Monitor Browser-Level Activity: Tools that detect unusual JavaScript behavior, suspicious network calls, or cookie extraction can help identify malicious activity that endpoint agents may miss. 
• Train Staff on Extension Risk: You’ll need to nip shadow IT in the bud. Please make sure all employees understand the risks of browser extensions and why they are restricted on company devices. 

 

Apply Zero Trust Principles Across Your Browsers with Continuum GRC

ShadyPanda proves that zero trust isn’t just for networks, APIs, and identity systems. It must extend to the user’s browser. The extensions people install, the permissions they grant, and the updates those extensions receive are now part of the enterprise attack surface.

We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

• FedRAMP
• GovRAMP
• GDPR
• NIST 800-53
• DFARS NIST 800-171, 800-172
• CMMC
• SOC 1, SOC 2
• HIPAA
• PCI DSS 4.0
• IRS 1075, 4812
• COSO SOX
• ISO 27000 Series
• ISO 9000 Series
  
• CJIS
• 100+ Frameworks

And more. We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cybersecurity® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and learn how we can help protect your systems and ensure compliance.

[wpforms id= “43885”]