ShadyPanda Browser Extension Campaign Exposes Users to Security Risks

Read full article here: https://astrix.security/learn/blog/shadypanda-malware-chrome-extensions-security/?utm_source=nhimg

New research from Koi Security has uncovered a long-running malicious browser extension operation, dubbed “ShadyPanda.” Over the past seven years, this campaign has infected more than 4.3 million users via malicious Google Chrome and Microsoft Edge extensions.

This discovery underscores the risks posed by unmanaged browser extensions. Often perceived as harmless productivity tools, extensions actually function as powerful integrations with access to sensitive corporate data.

Here’s what you need to know—and how Astrix customers stay protected.

What Happened: The ShadyPanda Campaign

Koi Security identified roughly 30 variants of ShadyPanda extensions. They were disguised as utilities like PDF converters or browser cleaners, but once installed, they acted as Remote Code Execution (RCE) backdoors and spyware.

The extensions exfiltrated extensive user data, including:

• Full Browsing Visibility: Every URL visited and complete browsing history.
• Navigation Patterns: HTTP referrers revealing movement across websites.
• Fingerprinting: User agent, screen resolution, platform data, and timestamps.
• Persistent Tracking: UUID4 identifiers stored in chrome.storage.sync allowed cross-device, session-spanning profiling.

These capabilities enabled long-term tracking, profiling, and remote command execution via malicious C2 infrastructure.

Enterprise Risk: High-Privilege Access via Malicious Extensions

One notable example: “Clean Master: the best Chrome Cache Cleaner.” While it claims to optimize browser performance, it actually grants “Access to All Resources.”

For enterprises, this means that if installed on a work profile, attackers can potentially access:

• Internal SaaS platforms
• Proprietary data
• Sensitive workflows

ShadyPanda illustrates how browser extensions, AI agents, and other integrations behave like Non-Human Identities (NHIs)—entities with permissions that, if unmonitored, become a blind spot for attackers.

How Astrix Protects Organizations

Astrix helps organizations manage these risks through three core capabilities:

1. Discovery and Early Detection
   • Real-time inventory of AI agents, NHIs (service accounts, OAuth apps, API keys, SSH keys, IAM roles), and secrets across cloud, SaaS, and on-prem environments.
2. Secure with Context
   • Identify high-risk origins (e.g., extensions sourced from high-risk countries).
   • Detect over-privileged access requests with no legitimate business justification.
   • Proactively remove dangerous extensions before public attribution.
3. Policy Enforcement
   • Transition from reactive to proactive security.
   • Deploy automated policies, such as blocking extensions from untrusted regions or requiring justification for high-sensitivity permissions.

The Bottom Line

Malicious browser extensions remain a favored attack vector, exploiting user trust while accessing sensitive systems.

With Astrix, organizations gain visibility and control over all AI agents and Non-Human Identities—enabling early detection, blocking, and removal of high-risk integrations before they become incidents.

You cannot secure what you cannot see. Astrix ensures your extensions, integrations, and AI agents operate safely, giving your team the confidence to innovate without exposing sensitive data.