All news with #browser extensions tag

Malicious Chrome and Edge Extensions Abused by ShadyPanda

🛡️Researchers at Koi Security uncovered a multi-year campaign by an actor dubbed ShadyPanda that abused trusted Chrome and Edge extensions to harvest browsing data, manipulate search results and traffic, and install a backdoor. The group amassed roughly 4.3 million infected browser instances by publishing legitimate-looking add-ons and later pushing malicious updates. Although many extensions have been removed from stores, infected browsers remain at risk because extensions auto-update and marketplaces generally review only at submission.

ShadyPanda Browser Extension Campaign Hits 4.3M Users

🛡️ A seven-year browser extension campaign attributed to the actor known as ShadyPanda has infected 4.3 million Chrome and Edge users by operating legitimately for years and then pushing malicious updates. A Koi Security report describes a remote code execution backdoor that affected roughly 300,000 users across five extensions, including Clean Master, and a parallel spyware push via Edge extensions such as WeTab. Malicious updates enabled hourly downloads of arbitrary JavaScript, extensive logging of site visits, exfiltration of encrypted browsing histories, and comprehensive browser fingerprinting.

ShadyPanda Converts Popular Browser Extensions into Spyware

🔒 A threat actor tracked as ShadyPanda operated a seven-year browser-extension campaign that amassed over 4.3 million installs by converting popular add-ons into data-stealing spyware. Koi Security reports that five extensions were modified in mid-2024 to run hourly remote code execution, download arbitrary JavaScript, and exfiltrate encrypted browsing histories and full browser fingerprints. Notable victims include Clean Master — once verified by Google — and WeTab, which still had millions of installs. Users should remove affected extensions and rotate credentials immediately while marketplaces review post-approval update controls.

Validating Chrome Extensions: Organizational Security

🔒 This article by Stan Kaminsky reviews Athanasios Giatsos’ Security Analyst Summit 2025 talk and explains why malicious browser extensions are a major blind spot for organizations. It outlines how extensions can access cookies, local storage, proxy settings, clipboard and screen capture, enabling session and account theft, espionage, ad fraud and crypto theft, and why Manifest V3 reduces but does not eliminate risk. Practical controls described include formal extension policies and allowlists, disabling developer mode, version pinning and testing of updates, EDR and SIEM-based monitoring, and the use of specialized vetting tools for deeper analysis.

Browser Security Report 2025: Emerging Enterprise Risks

🛡️ The Browser Security Report 2025 warns that enterprise risk is consolidating in the user's browser, where identity, SaaS, and GenAI exposures converge. The research shows widespread unmanaged GenAI usage and paste-based exfiltration, extensions acting as an embedded supply chain, and a high volume of logins occurring outside SSO. Legacy controls like DLP, EDR, and SSE are described as operating one layer too low. The report recommends adopting session-native, browser-level controls to restore visibility and enforce policy without disrupting users.

Top Browser Sandbox Threats That Evade Modern Defenses

🔒 Modern browsers include sandboxing, but attackers exploit expected behaviors to bypass protections. A new on-demand webinar from Keep Aware outlines the top three browser-layer threats—credential theft, malicious extensions, and lateral movement—and explains why tools like CASBs, SWGs, and EDRs often miss these attacks. It shows how real-time browser visibility, policy enforcement, and behavioral detection extend protection into everyday user activity. The session is aimed at CISOs and security leaders seeking practical steps to close this blind spot.