IN early December 2025, security researchers exposed a cybercrime campaign called ShadyPanda that quietly hijacked popular Chrome and Edge browser extensions on a massive scale. A threat group spent seven years building trust by publishing or acquiring harmless extensions, then converting them into malware via silent updates, ultimately affecting about 4.3 million users.
The campaign began in mid-2024 when the compromised extensions became a fully fledged remote code execution framework inside the browser, capable of downloading and running arbitrary JavaScript with full access to the browser’s data and capabilities. This allowed the attackers to steal session cookies and tokens and even impersonate SaaS accounts such as Microsoft 365 or Google Workspace, bypassing some security controls because the browser session remained authenticated.
The article urges organisations to tighten risk by enforcing extension allow lists, treating extension access like OAuth, auditing permissions regularly, and monitoring for suspicious update activity, noting that the browser acts as an extension of the SaaS attack surface; it also highlights how platforms like Reco can help map and monitor extensions across environments.