Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ShadyPanda browser-extension campaign

Campaign
First reported
Last updated
Happening score
H score 40
3 unique sources, 3 articles

Summary

Hide ▲

The ShadyPanda browser-extension campaign remains active on Microsoft Edge Add-ons, where it has reached over 4.3 million installs and is still delivering malicious code. The operation evolved from affiliate fraud and search hijacking into spyware and an update-delivered backdoor that can run arbitrary JavaScript. The ongoing activity matters because infected extensions can steal browsing data, cookies, and user interactions at scale.

Related Happenings

108 Malicious Chrome extension campaign

Campaign
First: 14.04.2026 14:30 Last: 14.04.2026 14:30 Sources 1

About this happening: A **large-scale campaign** of **108 malicious Chrome extensions** exposed roughly **20,000 users** to **session hijacking** and data theft through a shared **C2 infrastructure**.

Open Happening

108 Malicious Google Chrome extensions sharing a C2 backend

Malware Activity
First: 14.04.2026 11:35 Last: 14.04.2026 11:35 Sources 1

About this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...

Open Happening

Venom Stealer MaaS continuous credential theft and exfiltration

Malware Activity
First: 01.04.2026 16:30 Last: 01.04.2026 16:30 Sources 1

About this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...

Open Happening

Torg Grabber browser-extension theft activity

Malware Activity
First: 25.03.2026 20:32 Last: 25.03.2026 20:32 Sources 1

About this happening: The **Torg Grabber** infostealer is actively stealing data from **850 browser extensions**, including **728 cryptocurrency wallet extensions**, which raises the risk of account ta...

Open Happening

Legitimate-looking Chrome extension prompt-poaching campaign

Campaign
First: 25.03.2026 13:00 Last: 25.03.2026 13:00 Sources 1

About this happening: A recurring **Chrome extension** campaign is stealing **AI conversations** from users, exposing prompts, answers, and other sensitive content to attacker-controlled servers. The a...

Open Happening

Timeline

  1. 01.12.2025 17:01 3 articles · 5mo ago

    ShadyPanda browser-extension campaign disclosed

    Initial Disclosure

    Koi Security disclosed a long-running ShadyPanda browser-extension campaign that began with legitimate-looking Chrome and Edge submissions in 2018, showed malicious activity in 2023, escalated in early 2024 and 2024 into search hijacking and an update-delivered backdoor, and remained active on the Microsoft Edge Add-ons platform with over 4.3 million installs and extensions such as WeTab 新标签页 and Infinity New Tab (Pro) still present.

    Show sources
    Open in new tab