A major browser security incident has come to light after researchers revealed that millions of users were unknowingly spied on through once-legitimate browser extensions that later turned malicious.
According to an investigation first reported by The Register and confirmed by Koi Security, a threat actor operating under the name ShadyPanda spent years building trust before activating surveillance functionality through software updates.
The case stands out for the patience and scale involved. Beginning as early as 2018, ShadyPanda published harmless browser extensions that functioned exactly as advertised. These tools — positioned mainly as productivity and utility add-ons — behaved like standard extensions for years, attracting positive reviews and steady growth.
Over time, this long-term legitimacy paid off. Some of the extensions earned featured placement and verification status in both the Chrome Web Store and Microsoft Edge Add-ons Store, a level of visibility that further reinforced user trust.
Once the install base reached millions of users, the operator pushed an update that quietly changed the extensions’ behavior, transforming them into full-scale tracking and surveillance tools.
Millions Affected Across Chrome and Edge
Koi Security’s analysis revealed the scope of the breach to be substantial:
- More than 4.3 million users were affected across Google Chrome and Microsoft Edge
- The extension Clean Master alone surpassed 200,000 installs
- Another extension, WeTab, along with related add-ons from the same publisher, exceeded 3 million installs combined
All of these extensions came from publishers linked to Starlab Technology or the WeTab ecosystem.
What the Malicious Updates Did
Once activated, the malicious code granted the extensions extensive visibility into users’ online activity. The data harvested included:
- Every website URL visited
- Full browsing history
- All search queries typed into the browser
- Mouse click tracking
- Detailed browser fingerprinting
- HTTP referrer data showing how users navigated between sites
This combination enabled deep profiling and tracking, far beyond what most users would ever expect from a productivity extension. In effect, the add-ons acted as silent surveillance software embedded directly into the browser.
Why This Attack Was So Effective
This campaign exploited one of the weakest points in browser ecosystems: updates from trusted developers. Because the extensions had operated safely for years, automatic updates were delivered without raising alarms. Users had no reason to suspect that a familiar tool would suddenly change behavior so drastically.
The incident also highlights that store approval and verification alone are insufficient safeguards when developers can alter functionality long after initial review.
Extensions Removed — But the Risk Isn’t Automatically Gone
Both Google and Microsoft have confirmed that all known malicious extensions associated with this campaign have been removed from their respective extension stores. However, store removal does not automatically uninstall extensions already present on a user’s system.
This means affected users may still have dangerous add-ons installed unless they take manual action.
What Users Should Do Immediately
1. Check Installed Extensions
On Chrome and Edge, users should review their extensions and look for anything associated with:
- Starlab Technology
- WeTab
- Any extension they no longer recognize or actively use
Removing unused extensions is strongly recommended even if they are not confirmed malicious.
2. Update the Browser
Install the latest version of Chrome or Edge. Browser updates include:
- New security checks for extension behavior
- Updated blocklists that can automatically disable flagged extensions
- Protection against cached or dormant malicious components
3. Clear Sync Data
One of the most concerning findings is that the malware stored persistent UUID identifiers in chrome.storage.sync. This means tracking could continue across devices, even after reinstalling the browser.
To fully clean your system:
- Uninstall the affected extensions
- Clear browser sync data from your Google or Microsoft account
- Then restart and resync your browser
This incident is a textbook example of a delayed activation supply-chain attack, where time, trust, and scale were weaponized. Instead of exploiting a technical vulnerability, the attackers exploited human assumptions — that long-standing, verified software is safe by default.
For users, it reinforces the need to:
- Regularly audit browser extensions
- Avoid installing unnecessary add-ons
- Be cautious even of “trusted” tools
For browser vendors, it raises difficult questions about how to better monitor long-term behavioral changes in extensions — not just their first submission.
While the immediate threat has been neutralized, the episode serves as a sobering reminder that security risks can hide in plain sight for years before striking.
