In early December 2025, security researchers exposed a cybercrime campaign that had quietly taken over popular Chrome and Edge browser extensions on a large scale.
A threat group called ShadyPanda spent seven years playing a long game of publishing or acquiring benign extensions, letting them run clean for years to build trust and garner millions of installs, before suddenly turning them into malware with a silent update. In total, approximately 4.3 million users installed these once-legal add-ons, which turned out to be malicious add-ons with spyware and backdoor capabilities.
This tactic was essentially a browser extension supply chain attack.
ShadyPanda operators have also earned Featured and Verified badges on the official Chrome Web Store and Microsoft Edge add-ons site for some of their extensions, reinforcing user trust. Because extension updates occur automatically in the background, attackers were able to push out malicious code without users even noticing.
Once activated in mid-2024, the compromised extension became a full-fledged remote code execution (RCE) framework within the browser. It has full access to your browser’s data and functionality and may download and execute arbitrary JavaScript. This gave the attackers a variety of spyware privileges, from monitoring every URL and keystroke to injecting malicious scripts into web pages and exfiltrating browsing data and credentials.
One of the worst features is session cookie and token theft, which steals authentication tokens that websites use to keep users logged in. Extensions can even impersonate entire SaaS accounts (such as Microsoft 365 or Google Workspace) by hijacking these session tokens.
Why browser extensions are a SaaS security nightmare
For SaaS security teams, ShadyPanda’s campaign says a lot. This proved that malicious browser extensions can become intruders with the keys to a company’s SaaS kingdom. Once your extension has a user’s session cookie or token, it can unlock the user’s logged-in Slack, Salesforce, or other web service account.
In this case, millions of session tokens were stolen, potentially leading to unauthorized access to corporate emails, files, chat messages, and more without triggering normal security alarms. Because the browser session was already authenticated and the extension was piggybacking on it, traditional identity defenses like MFA were bypassed.
The risks are not limited to individual users. Many organizations allow employees to freely install browser extensions without the oversight that applies to other software. Browser extensions often slip through the cracks, but they can access cookies, local storage, cloud authentication sessions, active web content, and file downloads.
This blurs the line between endpoint security and cloud security. Malicious extensions can run on users’ devices (endpoint issues), but cloud accounts and data can be directly compromised (identity/SaaS issues). ShadyPanda clearly demonstrates the need to bridge endpoint and SaaS identity defense. Security teams should consider treating browsers as an extension of their SaaS attack surface.
Steps to reduce browser extension risks
Based on all this, what can organizations do to reduce the risk of ShadyPanda’s emerging situation? Below is a practical guide with steps to strengthen your defenses against malicious browser extensions.
1. Enforce extension allowlisting and governance
Start by controlling which extensions can run in your environment. Conduct an audit of all extensions installed on company browsers (both corporate-managed and BYOD if possible) and remove unnecessary, unvetted, or high-risk extensions.
For extensions that require broad permissions (for example, an add-on that can read all data on a website), it is wise to request a business justification. Use enterprise browser management tools to implement allowlists to ensure only approved extensions can be installed. This policy blocks new or unknown extensions by default, cutting off the long tail of random installations.
Please note that popular extensions are not automatically secure. ShadyPanda’s malware was hidden inside popular and trusted extensions that people have been using for years. We vet extensions through our security team’s approval process and treat every extension as guilty until proven innocent.
2. Treat extended access like OAuth access
Shift your mindset to treating browser extensions like third-party cloud apps in terms of allowed access. In practice, this means integrating extension monitoring into your identity and access management processes.
Just like we maintain a catalog of approved OAuth integrations, we do the same for extensions. Plan what SaaS data or actions your extensions can access. For example, if your extension can read all web traffic, it can effectively read SaaS application data in transit. If a cookie can be read, any service can impersonate you.
Malicious extensions can steal session tokens, so identity security tools should monitor for signs of session hijacking. Configure alerts for strange login patterns, such as OAuth tokens being used from two different locations or access attempts that bypass MFA checks.
The key is to manage extensions with the same care you would any app allowed to access your data. Limit extension permissions as much as possible, and be sure to remove high-risk extensions when employees leave or change roles, just as you would revoke access to unnecessary apps.
3. Audit extended privileges regularly
Similar to quarterly access reviews and app ratings, conduct extension reviews repeatedly as part of your security program. Every few months, create a list of extensions and their permissions used across your organization.
Be aware of the data or browser features that each extension can access. For each extension, ask, “Do I still need this?” Did you request any new permissions? Did the developer or owner change?
Attackers often buy benign extensions or introduce new maintainers before pushing bad updates. You can spot red flags by checking the extension’s publisher and update history.
Also, be wary of extensions that suddenly request broader permissions than before. This is a clue that the extension may have turned malicious.
4. Monitor suspicious extension behavior
Browsers typically auto-update extensions silently, so a trusted add-on can become malicious overnight without explicit warning to the user. Therefore, security teams must implement monitoring to discover silent breaches.
This may include technical measures or user awareness cues.
On the technical side, consider logging and analyzing your extension’s activity. For example, monitor browser extension installations, update events, or unusual network calls from extensions, such as frequent communication with unknown external domains.
Some organizations inspect browser logs or use endpoint agents to flag when an extension’s files change unexpectedly. If possible, you can limit or phase extension updates. For example, test an update on a subset of machines before rolling it out broadly.
On the user side, educate employees to report extensions that have been installed for a long time and suddenly start behaving differently (new UI changes, unexpected pop-ups, or performance issues can indicate a malicious update). The goal is to reduce the time it takes for your team to detect and remove an extension when it has a problem.
Bridging Endpoint and SaaS Security (How Reco Can Help)
The ShadyPanda incident shows that attackers don’t necessarily need a zero-day exploit to break into a system. Sometimes all you need is patience, user trust, and an overlooked browser extension. For security teams, this is a lesson that browser extensions are part of the attack surface.
Since the browser is effectively the endpoint between the user and the SaaS application, it’s important to incorporate extension management and monitoring into your overall security strategy. By enforcing allowlists, auditing permissions, monitoring updates, and treating extensions like powerful third-party apps, you can significantly reduce the risk of extensions being at their weakest point.
Finally, consider how a modern SaaS security platform can support these efforts.
New solutions, such as dynamic SaaS security platforms, are emerging to help organizations address this type of risk. Reco’s Dynamic SaaS Security platform is designed to continuously map and monitor SaaS usage, including risky connected apps and extensions, and provide identity-based threat detection.
With the right platform, you can integrate and visualize extensions across your environment to detect suspicious activity in real time. Reco helps bridge the gap between endpoint and cloud by correlating browser-side risks with SaaS account behavior, providing security teams with consistent protection. By taking these proactive steps and leveraging tools like Reco to automate and scale your SaaS security, you can stay ahead of the next ShadyPanda.
Request a Demo: Get started with Reco.
Note: This article was professionally written and contributed by Galnakash, Co-Founder and CPO of Reco. Gal is a former lieutenant colonel in the Israeli Prime Minister’s Office. He is a technology enthusiast with a background as a security researcher and hacker. Gal has expertise in human elements and has led teams in multiple cybersecurity areas.
Source link
