Chinese Spyware Now Disguised as Your Trusted Browser Extensions
- Last update: 56 minutes ago
- 2 min read
- 980 Views
- BUSINESS
Millions of users recently discovered that the browser extensions they trusted were secretly monitoring their every online move. Over 4.3 million people had extensions like Clean Master and WeTab, which they relied on for years, covertly transformed into spyware through seemingly routine updates.
The Long Con Behind the Breach
Security researchers at Koi Security revealed that the China-based group ShadyPanda carefully built credibility over several years before turning widely-used extensions into malicious tools. Instead of submitting new, suspicious software, they hijacked popular extensions that had been downloaded millions of times since 2018. Clean Master affected around 200,000 Chrome users, while WeTab compromised approximately 3 million Edge browsers. The malicious updates were delivered through standard auto-update channels, making them appear legitimate.
Every Action Monitored
Once updated, these extensions began capturing detailed browsing activity and could take full control of users browsers. They connected to attacker-controlled servers to download JavaScript that granted complete access. This allowed hackers to track every URL visited, search query, stored cookie, and even mouse movements, effectively turning affected browsers into remote-controlled devices.
Extension Stores Failed to Protect Users
Official browser marketplaces focused on reviewing new submissions but neglected ongoing monitoring of existing extensions. ShadyPanda exploited this oversight, targeting extensions with Featured or Verified badges to launch stealth attacks. Users assumed trusted stores would prevent malicious activity, but the security focus was on the wrong stage, leaving millions vulnerable.
How to Protect Your Browser
Immediate action is recommended. Go to chrome://extensions/ or edge://extensions/, enable Developer Mode, and check each extensions ID against the list published by Koi Security. Remove any that match. While the infected extensions were available in official stores, assume all browsing activity during that period was compromised. Changing passwords and reviewing sensitive accounts is strongly advised.
Author: Noah Whitman
Share
Urban Traffic Jams Persist, Except in Certain Major North American Cities
11 minutes ago 3 min read BUSINESS
Officials approve innovative housing project with groundbreaking features: 'Establishes a new benchmark'
11 minutes ago 2 min read BUSINESS
Here's where minimum wage increases are scheduled to take effect next year
13 minutes ago 2 min read BUSINESS
'Simpsons Movie' sequel rescheduled for Labor Day 2027
14 minutes ago 2 min read BUSINESS
US legislators urge Google and Apple to delete apps that track immigration agents
17 minutes ago 2 min read BUSINESS
Ohio trucking company operator sentenced to 30 months for evading income taxes
17 minutes ago 3 min read BUSINESS
Supercomputer Generates Highly Realistic Virtual Brain
22 minutes ago 3 min read BUSINESS
Admiral confirms two survivors on 'narco boat' hit with second strike were unable to call for help, report reveals
23 minutes ago 2 min read BUSINESS
Concerns about independence aired by ACIP chair: 'Puppets on a string'
25 minutes ago 2 min read BUSINESS
Recall of Dog Food in 14 States due to Plastic Pieces that Pose a Threat to Pets
26 minutes ago 2 min read BUSINESS