Once-trusted Chrome and Edge add-ons have quietly turned into tools for data harvesting, search manipulation, and a remote-execution backdoor affecting more than 4.3 million users.
A sprawling surveillance campaign targeting Google Chrome and Microsoft Edge users is just the latest evolution of a seven-year-long project to distribute malicious browser extensions.
By targeting trusted browser extensions and weaponizing them only after they had passed initial acceptance checks and gained a broad following, sometimes over years, a group that Koi has labelled "ShadyPanda" has infected 4.3 million browser instances to harvest browsing data, hijack search results, manipulate traffic, and deploy a backdoor capable of remote code execution.
The risk for enterprises is significant if any of those browsers are on work PCs or on employees' own devices used to access work resources, Koi warned.