Malicious extensions sometimes pose as legitimate additions to the Chrome Web Store (and similar libraries in other browsers). They’re especially hard to catch when they’re benign to begin with, only to mutate into malware after gaining a user’s trust.

This is what happened with several extensions on Google Chrome and Microsoft Edge. No security researchers Both pointed to an increase in browsers that had been running legally for years before malicious updates that allowed hackers to survey users and collect and harvest sensitive data. The scheme, known as Shadepanda, reached four million downloads and is still active on the fringes.

Threat actors ran a similar campaign targeting Firefox earlier this year: they obtained approval for a benign extension impersonating popular crypto wallets, aggregated downloads and positive reviews, and then injected the ad with malicious code capable of logging form field input, which they used to access and steal crypto assets.

The browser extension may be corrupted

When it comes to security, ShadePanda started out as an affiliate scam, with 145 extensions masquerading as wallpaper and productivity apps in both browsers. Initially, eBay, Amazon, and Booking.com were designed to hijack and manipulate search results before launching affiliate tracking codes and paying commissions for clicks and then five extensions in 2018 that would later evolve into malware.

These add-ons were marked as featured and verified in Chrome—one, a cache cleaner known as CleanMaster, received a 4.8 rating from thousands of reviews. The extension was updated in 2024 to run malware that can check hourly for new instructions and maintain full browser access, providing information to ShadowPanda’s servers. (It has since been removed from Chrome.)

Hackers launched an additional five extensions in 2023, including Vitab.

How to detect malicious extensions in Chrome and Edge

Unfortunately, malicious extensions are usually pretending to be something else, so a quick visual check of your installed extensions may not reveal any problems. In this case, there is no security A list of extension IDs Associated with the Shadowpanda campaign, and you have to Find them one by one.

In Chrome, type chrome://extensions/ in your address bar and hit enter. Toggle on Developer mode in the upper right corner to display the ID for the installed extension. From here, you can copy and paste each ID into the search bar (ctrl+f On your computer or cmd+f on your Mac). If there are no results, your browser is safe. If you find any malicious add-on, click on it remove In the button edge, follow the same process edge://extension/.

While this campaign suggests that extensions can be weaponized after they’re installed, you should still follow best practices for testing browser add-ons just as you would apps for your device. Check the name carefully, as fraudulent extensions often have names that are almost identical to trusted ones. Review the description for any red flags, such as misspellings and irrelevant images. If you see a lot of positive reviews on a new extension in a short amount of time, or if it looks like they’re reviewing something else entirely, proceed with caution. You can also do additional research, such as searching on Google or Reddit, to see if the extension is legitimate.