ShadyPanda browser-extension campaign
Campaign
Summary
Hide ▲
Show ▼
The ShadyPanda browser-extension campaign remains active on Microsoft Edge Add-ons, where it has reached over 4.3 million installs and is still delivering malicious code. The operation evolved from affiliate fraud and search hijacking into spyware and an update-delivered backdoor that can run arbitrary JavaScript. The ongoing activity matters because infected extensions can steal browsing data, cookies, and user interactions at scale.
Related Happenings
Search for perplexity ai malicious Chrome extension
Malware Activity
H score29
First: 29.06.2026 21:40
Last: 29.06.2026 21:40
Sources 1
About this happening:
A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...
Search for perplexity ai malicious Chrome extension
Malware ActivityAbout this happening: A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...
StegoAd malicious Edge extension operation
Malware Activity
H score19
First: 29.06.2026 11:32
Last: 29.06.2026 11:32
Sources 1
About this happening:
The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
StegoAd malicious Edge extension operation
Malware ActivityAbout this happening: The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
Dormant remote-controlled JavaScript injection path in Adblock for YouTube Chrome extension
Technical Analysis
H score23
First: 25.06.2026 17:12
Last: 25.06.2026 17:12
Sources 1
About this happening:
A **Chrome extension** with **10 million+ installs** was found to carry a **dormant script-injection path**, raising the risk of **arbitrary JavaScript execution** across visited...
Dormant remote-controlled JavaScript injection path in Adblock for YouTube Chrome extension
Technical AnalysisAbout this happening: A **Chrome extension** with **10 million+ installs** was found to carry a **dormant script-injection path**, raising the risk of **arbitrary JavaScript execution** across visited...
JetBrains Marketplace malicious plugins exfiltrating AI provider keys
Malware Activity
H score12
First: 17.06.2026 12:38
Last: 17.06.2026 12:38
Sources 1
About this happening:
A **JetBrains Marketplace** malware operation has pushed **15 malicious plugins** that pose as AI coding assistants and steal **AI provider API keys** from developers. The plugins...
JetBrains Marketplace malicious plugins exfiltrating AI provider keys
Malware ActivityAbout this happening: A **JetBrains Marketplace** malware operation has pushed **15 malicious plugins** that pose as AI coding assistants and steal **AI provider API keys** from developers. The plugins...
JetBrains Marketplace malicious plugin API-key theft campaign
Campaign
H score15
First: 17.06.2026 00:54
Last: 17.06.2026 00:54
Sources 1
About this happening:
A **coordinated malware campaign** on the **JetBrains Marketplace** is stealing developers' **AI provider API keys** through malicious plugins that pose as **AI coding assistants*...
JetBrains Marketplace malicious plugin API-key theft campaign
CampaignAbout this happening: A **coordinated malware campaign** on the **JetBrains Marketplace** is stealing developers' **AI provider API keys** through malicious plugins that pose as **AI coding assistants*...
Timeline
-
01.12.2025 17:01 3 articles · 7mo ago
ShadyPanda browser-extension campaign disclosed
Initial DisclosureKoi Security disclosed a long-running ShadyPanda browser-extension campaign that began with legitimate-looking Chrome and Edge submissions in 2018, showed malicious activity in 2023, escalated in early 2024 and 2024 into search hijacking and an update-delivered backdoor, and remained active on the Microsoft Edge Add-ons platform with over 4.3 million installs and extensions such as WeTab 新标签页 and Infinity New Tab (Pro) still present.
Show sources
- ShadyPanda browser extensions amass 4.3M installs in malicious campaign — www.bleepingcomputer.com — 01.12.2025 17:01
- ShadyPanda's Seven-Year Campaign Infects 4.3M Chrome and Edge Users — www.infosecurity-magazine.com — 02.12.2025 17:10
- A Browser Extension Risk Guide After the ShadyPanda Campaign — thehackernews.com — 15.12.2025 13:55