ShadyPanda browser extension spyware activity
Malware Activity
Summary
Hide ▲
Show ▼
ShadyPanda browser extensions now deliver hourly remote code execution, turning trusted add-ons into spyware across Chrome and Edge and putting 4.3 million installs at risk. The code fetches payloads from api.extensionplay[.]com and exfiltrates encrypted browsing data and browser fingerprints to api.cleanmasters[.]store. The operation raises immediate risk of credential theft, session hijacking, and arbitrary code injection.
Related Happenings
LofyGang Minecraft LofyStealer campaign
Campaign
First: 28.04.2026 20:39
Last: 28.04.2026 20:39
Sources 1
About this happening:
The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
LofyGang Minecraft LofyStealer campaign
CampaignAbout this happening: The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
Chrome Web Store malicious extensions coordinated campaign using shared C2
Campaign
First: 14.04.2026 23:33
Last: 14.04.2026 23:33
Sources 1
About this happening:
A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
Chrome Web Store malicious extensions coordinated campaign using shared C2
CampaignAbout this happening: A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware Activity
First: 14.04.2026 11:35
Last: 14.04.2026 11:35
Sources 1
About this happening:
**108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware ActivityAbout this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
GlassWorm Zig dropper infecting developer IDEs
Malware Activity
First: 10.04.2026 16:23
Last: 10.04.2026 16:23
Sources 1
About this happening:
The **GlassWorm** malware set now uses a **Zig dropper** that can silently infect **all VS Code-based IDEs** on a developer's machine, widening the reach of the compromise. The pa...
GlassWorm Zig dropper infecting developer IDEs
Malware ActivityAbout this happening: The **GlassWorm** malware set now uses a **Zig dropper** that can silently infect **all VS Code-based IDEs** on a developer's machine, widening the reach of the compromise. The pa...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware Activity
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware ActivityAbout this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Timeline
-
01.12.2025 19:29 3 articles · 5mo ago
ShadyPanda browser extension spyware activity
Initial DisclosureThe operation began as a long-running browser-extension presence that built trust through legitimate store distribution and large install counts. In **mid-2024**, five previously benign extensions were altered to fetch code from **api.extensionplay[.]com** and start malicious hourly execution.
Show sources
- ShadyPanda Turns Popular Browser Extensions with 4.3 Million Installs Into Spyware — thehackernews.com — 01.12.2025 19:29
- ShadyPanda's Seven-Year Campaign Infects 4.3M Chrome and Edge Users — www.infosecurity-magazine.com — 02.12.2025 17:10
- A Browser Extension Risk Guide After the ShadyPanda Campaign — thehackernews.com — 15.12.2025 13:55