In early December 2025, security researchers exposed a cybercrime campaign that had quietly hijacked popular Chrome and Edge browser extensions on a massive scale.
A threat group dubbed ShadyPanda spent seven years playing the long game, publishing or acquiring harmless extensions, letting them run clean for years to build trust and gain millions of installs, then suddenly flipping them into malware via silent updates. In total, about 4.3 million users installed these once-legitimate add-ons, which suddenly went rogue with spyware and backdoor capabilities.
This tactic was essentially a browser extension supply-chain attack.
The ShadyPanda operators even earned featured and verified badges in the official Chrome Web Store and Microsoft Edge Add-ons site for some extensions, reinforcing user confidence. Because extension updates happen automatically in the background, the attackers were able to push out malicious code without users noticing a thing.
Once activated in mid-2024, the compromised extensions became a fully fledged remote code execution (RCE) framework inside the browser. They could download and run arbitrary JavaScript with full access to the browser’s data and capabilities. This gave the attackers a range of spyware powers, from monitoring every URL and keystroke, to injecting malicious scripts into web pages, to exfiltrating browsing data and credentials.
One of the worst capabilities was session cookie and token theft, stealing the authentication tokens that websites use to keep users logged in. The extensions could even impersonate entire SaaS accounts (like Microsoft 365 or Google Workspace) by hijacking those session tokens.
Why Browser Extensions Are a SaaS Security Nightmare
For SaaS security teams, ShadyPanda’s campaign shows us a lot. It proved that a malicious browser extension can effectively become an intruder with keys to your company’s SaaS kingdom. If an extension grabs a user’s session cookie or token, it can unlock that user’s accounts in Slack, Salesforce, or any other web service they’re logged into.
In this case, millions of stolen session tokens could have led to unauthorized access to enterprise emails, files, chat messages, and more, all without triggering the usual security alarms. Traditional identity defenses like MFA were bypassed, because the browser session was already authenticated and the extension was piggybacking on it.
The risk extends beyond just the individual user. Many organizations allow employees to install browser extensions freely, without the scrutiny applied to other software. Browser extensions often slip through without oversight, yet they can access cookies, local storage, cloud auth sessions, active web content, and file downloads.
This blurs the line between endpoint security and cloud security. A malicious extension can be run on the user’s device (an endpoint issue), but it directly compromises cloud accounts and data (an identity/SaaS issue). ShadyPanda vividly shows the need to bridge endpoint and SaaS identity defense: security teams should think about treating the browser as an extension of the SaaS attack surface.
Steps to Reduce Browser Extension Risk
So based on all of this, what can organizations do to reduce the risk of another ShadyPanda situation? Below is a practical guide with steps to tighten your defenses against malicious browser extensions.
1. Enforce Extension Allow Lists and Governance
Start by regaining control over which extensions can run in your environment. Conduct an audit of all extensions installed across the company’s browsers (both corporate-managed and BYOD if possible) and remove any that are unnecessary, unvetted, or high risk.
It’s wise to require business justification for extensions that need broad permissions (for example, any addon that can read all website data). Use enterprise browser management tools to implement an allow list so that only approved extensions can be installed. This policy ensures new or unknown extensions are blocked by default, cutting off the long tail of random installs.
Remember that popular extensions aren’t automatically safe, ShadyPanda’s malware hid in popular, trusted extensions that people had used for years. Treat all extensions as guilty until proven innocent by vetting them through your security team’s approval process.
2. Treat Extension Access Like OAuth Access
Shift your mindset to treat browser extensions similarly to third-party cloud apps in terms of the access they grant. In practice, this means integrating extension oversight into your identity and access management processes.
Just as you might keep a catalog of authorized OAuth integrations, do the same for extensions. Map out what SaaS data or actions an extension could touch – for example, if an extension can read all web traffic, it effectively can read your SaaS application data in transit; if it can read cookies, it can impersonate the user on any service.
Because malicious extensions can steal session tokens, your identity security tools should watch for signs of session hijacking: configure alerts for bizarre login patterns, like an OAuth token being used from two different locations, or an access attempt that bypasses MFA checks.
The key point is to manage extensions with the same caution as any app that has been granted access to your data. Limit extension permissions where possible, and if an employee leaves the company or changes roles, ensure that high-risk extensions are removed just as you would revoke unneeded app access.
3. Audit Extension Permissions Regularly
Make extension review a recurring part of your security program, similar to quarterly access reviews or app assessments. Every few months, inventory the extensions and their permissions in use across your organization.
Pay attention to what data or browser features each extension can access. For each extension, ask: Do we still need this? Has it requested any new permissions? Has its developer or ownership changed?
Attackers often buy out benign extensions or slip in new maintainers before pushing bad updates. By reviewing the extension publisher and update history, you can spot red flags.
Also, watch for any extension that suddenly asks for broader permissions than before – that’s a clue it may have turned malicious.
4. Monitor for Suspicious Extension Behavior
Because browsers usually auto-update extensions silently, a trusted add-on can become malicious overnight with no obvious warning to the user. Security teams should therefore implement monitoring to catch silent compromise.
This can include technical measures and user-awareness cues.
On the technical side, consider logging and analyzing extension activity: for example, monitor browser extension installations, update events, or unusual network calls from extensions (like frequent communication with unknown external domains).
Some organizations inspect browser logs or use endpoint agents to flag if an extension’s files change unexpectedly. If possible, you might restrict or stage extension updates – for instance, testing updates on a subset of machines before wide deployment.
On the user side, educate employees to report if an extension that has been installed for a long time suddenly starts behaving differently (new UI changes, unexpected pop-ups, or performance issues could hint at a malicious update). The goal is to shorten the window between an extension going bad and your team detecting and removing it.
Bridging Endpoint and SaaS Security (How Reco Can Help)
The ShadyPanda incident shows that attackers don’t always need zero-day exploits to infiltrate our systems; sometimes, they just need patience, user trust, and an overlooked browser extension. For security teams, it’s a lesson that browser extensions are part of your attack surface.
The browser is effectively an endpoint that sits between your users and your SaaS applications, so it’s important to bring extension management and monitoring into your overall security strategy. By enforcing allow lists, auditing permissions, monitoring updates, and treating extensions like the powerful third-party apps they are, you can drastically reduce the risk of an extension becoming your weakest link.
Finally, consider how modern SaaS security platforms can support these efforts.
New solutions, such as dynamic SaaS security platforms, are emerging to help organizations get a handle on these kinds of risks. Reco’s Dynamic SaaS Security platform is designed to continuously map and monitor SaaS usage (including risky connected apps and extensions) and provide identity-driven threat detection.
With the right platform, you can gain unified visibility into extensions across your environment and detect suspicious activity in real time. Reco can help bridge the gap between endpoint and cloud by correlating browser-side risks with SaaS account behavior, giving security teams a cohesive defense. By taking these proactive steps and leveraging tools like Reco to automate and scale your SaaS security, you can stay one step ahead of the next ShadyPanda.
Request a Demo: Get Started With Reco.
Note: This article is expertly written and contributed by Gal Nakash, Co-founder & CPO of Reco. Gal is a former Lieutenant Colonel in the Israeli Prime Minister’s Office. He is a tech enthusiast with a background as a security researcher and hacker. Gal has led teams in multiple cybersecurity areas, with expertise in the human element.
