How to Spot a Sleeping Browser Extension That’s Actually Malware
Malicious extensions sometimes find their way into the Chrome Web Store (and similar libraries in other browsers) by posing as legitimate add-ons. They are especially difficult to detect if they are initially harmless and only become malware after gaining user trust.
This is precisely what happened to a number of extensions for Google Chrome and Microsoft Edge: Koi Security researchers discovered add-ons in both browsers that ran legitimately for several years before receiving malicious updates, allowing hackers to spy on users, collect, and steal confidential data. The scheme, known as ShadyPanda, has reached four million downloads and is still active in Edge.
Earlier this year, attackers conducted a similar campaign against Firefox : they got harmless extensions mimicking popular crypto wallets approved, accumulated downloads and positive reviews, and then injected malicious code into the extensions that could log form input, allowing them to access and steal crypto assets.
Browser extensions can go bad.
As Koi Security notes, ShadyPanda began as an affiliate scam with 145 extensions disguised as wallpapers and productivity apps in two browsers. Initially, they injected affiliate tracking codes and paid commissions for clicks on eBay, Amazon, and Booking.com. They then moved on to intercepting and manipulating search results, before launching five extensions in 2018 that were later converted into malware.
These add-ons were marked as recommended and verified in Chrome. One of them, the cache cleaner CleanMaster, received a rating of 4.8 based on thousands of reviews. In 2024, the extensions were updated to launch malware that can check for new instructions hourly and maintain full access to the browser, transmitting information to ShadyPanda’s servers. (These extensions have since been removed from Chrome.)
In 2023, hackers launched five more extensions for Edge, including WeTab. Two of them are complex spyware, and all were active at the time of Koi’s report.
How to Find Malicious Extensions in Chrome and Edge
Unfortunately, malicious extensions often disguise themselves as something else, so a quick visual inspection of installed extensions may not reveal the problem. In this case, Koi Security has a list of extension IDs associated with the ShadyPanda campaign, and you’ll need to search for them one by one .
In Chrome, enter chrome://extensions/ in the address bar and press Enter . Enable Developer Mode in the upper-right corner to see the IDs of installed extensions. From there, you can copy and paste each ID into the search bar ( Ctrl+F on PC or Cmd+F on Mac). If no results appear, your browser is safe. If you find a malicious add-on, click the “Remove” button. In Edge, follow the same steps by going to edge://extensions/ .
While this campaign demonstrates that extensions can become weapons long after installation, you should still follow the same guidelines for vetting browser extensions as you would any app for your device. Check the name carefully, as fraudulent extensions often have names that are nearly identical to legitimate ones. Check the description for red flags, such as spelling errors and irrelevant images. If you see many positive reviews for a new extension in a short period of time, or if it seems like the authors are considering something completely different, be wary. You can also conduct additional research, such as searching Google or Reddit, to confirm the extension’s legitimacy.