Cyberside Chats: Cybersecurity Insights from the Experts

The Extension That Spied on You: Inside ShadyPanda’s 7-Year Attack

Listen Later

A massive 7-year espionage campaign hid in plain sight. Harmless Chrome and Edge extensions — wallpaper tools, tab managers, PDF converters — suddenly flipped into full surveillance implants, impacting more than 4.3 million users. In this episode, we break down how ShadyPanda built trust over years, then weaponized auto-updates to steal browsing history, authentication tokens, and even live session cookies. We’ll walk through the timeline, what data was stolen, why session hijacking makes this attack so dangerous, and the key steps security leaders must take now to prevent similar extension-based compromises. 

Key Takeaways 

  1. Audit and restrict browser extensions across the organization. Inventory all extensions in use, remove unnecessary ones, and enforce an allowlist through enterprise browser controls. 
    1. Treat extensions as part of your software supply chain. Extensions can flip from safe to malicious overnight. Include them in risk assessments and governance processes. 
      1. Detect and mitigate session hijacking. Monitor for unusual token reuse, shorten token lifetimes where possible, and watch for logins that bypass MFA. 
        1. Enforce enterprise browser security controls. Use Chrome/Edge enterprise features or MDM to lock down permissions, block unapproved installations, and enable safe browsing modes. 
          1. Reduce extension sprawl with policy and training. Educate employees that extensions carry real security risk. Require justification for new installations and empower IT to remove unnecessary ones. 

            2. Please tune in weekly for more cybersecurity advice, and visit www.LMGsecurity.com if you need help with your cybersecurity testing, advisory services, and training. 


            Resources: 

            • KOI Intelligence (Original Research): https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign 
              • Malwarebytes Labs Coverage: https://www.malwarebytes.com/blog/news/2025/12/sleeper-browser-extensions-woke-up-as-spyware-on-4-million-devices 
                • Infosecurity Magazine Article: https://www.infosecurity-magazine.com/news/shadypanda-infects-43m-chrome-edge/ 

                  • #ShadyPanda #browserextension #browsersecurity #cybersecurity #cyberaware #infosec #cyberattacks #ciso

                  ...more
                  View all episodesView all episodes
                  Download on the App Store
                  Cyberside Chats: Cybersecurity Insights from the ExpertsBy Chatcyberside
                  • 5
                  • 5
                  • 5
                  • 5
                  • 5

                  5

                  2 ratings

                  More shows like Cyberside Chats: Cybersecurity Insights from the Experts

                  View all
                  No Agenda Show by Adam Curry & John C. Dvorak

                  No Agenda Show

                  5,948 Listeners

                  Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec by Jerry Bell and Andrew Kalat

                  Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec

                  370 Listeners

                  The DSR Network by The DSR Network

                  The DSR Network

                  1,782 Listeners

                  Conspirituality by Derek Beres, Matthew Remski, Julian Walker

                  Conspirituality

                  2,041 Listeners

                  What Rough Beast by Virginia Heffernan and Stephen Metcalf

                  What Rough Beast

                  63 Listeners