A threat actor known as ShadyPanda has been linked to a seven-year-long browser extension campaign that has amassed over 4.3 million installations over time.

Five of these extensions started off as legitimate programs before malicious changes were introduced in mid-2024, according to a report from Koi Security, attracting 300,000 installs. These extensions have since been taken down.

"These extensions now run hourly remote code execution – downloading and executing arbitrary JavaScript with full browser access," security researcher Tuval Admoni said in a report shared with The Hacker News. "They monitor every website visit, exfiltrate encrypted browsing history, and collect complete browser fingerprints."

To make matters worse, one of the extensions, Clean Master, was featured and v

See Full Page