ShadyPanda browser extension spyware activity
Malware Activity
Summary
Hide ▲
Show ▼
ShadyPanda browser extensions now deliver hourly remote code execution, turning trusted add-ons into spyware across Chrome and Edge and putting 4.3 million installs at risk. The code fetches payloads from api.extensionplay[.]com and exfiltrates encrypted browsing data and browser fingerprints to api.cleanmasters[.]store. The operation raises immediate risk of credential theft, session hijacking, and arbitrary code injection.
Related Happenings
Silent Swap browser-extension clipboard clipper
Malware Activity
H score36
First: 30.06.2026 18:40
Last: 30.06.2026 18:40
Sources 1
About this happening:
The **Silent Swap** malware activity now **installs malicious Chromium extensions** that intercept copied wallet addresses and **reroute cryptocurrency transfers** to attacker-con...
Silent Swap browser-extension clipboard clipper
Malware ActivityAbout this happening: The **Silent Swap** malware activity now **installs malicious Chromium extensions** that intercept copied wallet addresses and **reroute cryptocurrency transfers** to attacker-con...
Search for perplexity ai malicious Chrome extension
Malware Activity
H score29
First: 29.06.2026 21:40
Last: 29.06.2026 21:40
Sources 1
About this happening:
A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...
Search for perplexity ai malicious Chrome extension
Malware ActivityAbout this happening: A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...
StegoAd malicious Edge extension operation
Malware Activity
H score19
First: 29.06.2026 11:32
Last: 29.06.2026 11:32
Sources 1
About this happening:
The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
StegoAd malicious Edge extension operation
Malware ActivityAbout this happening: The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
Dormant remote-controlled JavaScript injection path in Adblock for YouTube Chrome extension
Technical Analysis
H score23
First: 25.06.2026 17:12
Last: 25.06.2026 17:12
Sources 1
About this happening:
A **Chrome extension** with **10 million+ installs** was found to carry a **dormant script-injection path**, raising the risk of **arbitrary JavaScript execution** across visited...
Dormant remote-controlled JavaScript injection path in Adblock for YouTube Chrome extension
Technical AnalysisAbout this happening: A **Chrome extension** with **10 million+ installs** was found to carry a **dormant script-injection path**, raising the risk of **arbitrary JavaScript execution** across visited...
JetBrains Marketplace malicious plugin API-key theft campaign
Campaign
H score15
First: 17.06.2026 00:54
Last: 17.06.2026 00:54
Sources 1
About this happening:
A **coordinated malware campaign** on the **JetBrains Marketplace** is stealing developers' **AI provider API keys** through malicious plugins that pose as **AI coding assistants*...
JetBrains Marketplace malicious plugin API-key theft campaign
CampaignAbout this happening: A **coordinated malware campaign** on the **JetBrains Marketplace** is stealing developers' **AI provider API keys** through malicious plugins that pose as **AI coding assistants*...
Timeline
-
01.12.2025 19:29 3 articles · 7mo ago
ShadyPanda browser extension spyware activity
Initial DisclosureThe operation began as a long-running browser-extension presence that built trust through legitimate store distribution and large install counts. In **mid-2024**, five previously benign extensions were altered to fetch code from **api.extensionplay[.]com** and start malicious hourly execution.
Show sources
- ShadyPanda Turns Popular Browser Extensions with 4.3 Million Installs Into Spyware — thehackernews.com — 01.12.2025 19:29
- ShadyPanda's Seven-Year Campaign Infects 4.3M Chrome and Edge Users — www.infosecurity-magazine.com — 02.12.2025 17:10
- A Browser Extension Risk Guide After the ShadyPanda Campaign — thehackernews.com — 15.12.2025 13:55