A widespread spyware campaign orchestrated by the threat actor known as ShadyPanda has been uncovered by security researchers. The group successfully compromised several popular browser extensions, affecting a user base of more than 4.3 million.

The compromised extensions, once legitimate and trusted by users, were covertly updated with malicious code. This code transformed them into spyware designed to exfiltrate sensitive user information without their knowledge.

Supply Chain Attack Compromised Millions

The attack vector involved a supply chain compromise where ShadyPanda acquired ownership of existing, popular extensions. After gaining control, the threat actor pushed malicious updates through the official browser extension stores. Because the updates were distributed through official channels, they were automatically installed for the majority of the 4.3 million users.

This method allowed the attackers to bypass initial security checks and leverage the established trust and large installation numbers of the previously benign add-ons.

Data Exfiltration and Spyware Capabilities

Once the malicious update was installed, the extensions began operating as spyware. The embedded code was capable of capturing a wide range of personal and sensitive data directly from the user’s browser. Information targeted for theft included browsing history, session cookies, login credentials, and data entered into web forms.

All collected data was then sent to command-and-control (C2) servers operated by the ShadyPanda group. Following the discovery of this campaign, the affected browser extensions were removed from the official web stores to prevent new installations.

Source: https://thehackernews.com/2025/12/shadypanda-turns-popular-browser.html