Stealthy browser extensions waited years before infecting 4.3M Chrome, Edge users with backdoors and spyware

A seven-year malicious browser extension campaign infected 4.3 million Google Chrome and Microsoft Edge users with malware, including backdoors and spyware sending people's data to servers in China. And, according to Koi researchers, five of the extensions with more than 4 million installs are still live in the Edge marketplace.

The attackers, which Koi named ShadyPanda, played the long game: publishing legitimate extensions, accumulating thousands or sometimes millions of downloads over several years, and then pushing a malware-laden update that auto updates across the entire user base.

Because both marketplaces review extensions upon submission – it's not an ongoing process – these seemingly stellar productivity tools, some with Featured and Verified status alongside glowing user reviews and high install counts, were allowed to track people's behavior and steal sensitive info silently for years. 

"No phishing. No social engineering. Just trusted extensions with quiet version bumps that turned productivity ...