"A threat group dubbed ShadyPanda spent seven years playing the long game, publishing or acquiring harmless extensions, letting them run clean for years to build trust and gain millions of installs, then suddenly flipping them into malware via silent updates. In total, about 4.3 million users installed these once-legitimate add-ons, which suddenly went rogue with spyware and backdoor capabilities. This tactic was essentially a browser extension supply-chain attack. The ShadyPanda operators even earned featured and verified badges in the official Chrome Web Store and Microsoft Edge Add-ons site for some extensions, reinforcing user confidence. Because extension updates happen automatically in the background, the attackers were able to push out malicious code without users noticing a thing."
"Once activated in mid-2024, the compromised extensions became a fully fledged remote code execution (RCE) framework inside the browser. They could download and run arbitrary JavaScript with full access to the browser's data and capabilities. This gave the attackers a range of spyware powers, from monitoring every URL and keystroke, to injecting malicious scripts into web pages, to exfiltrating browsing data and credentials. One of the worst capabilities was session cookie and token theft, stealing the authentication tokens that websites use to keep users logged in. The extensions could even impersonate entire SaaS accounts (like Microsoft 365 or Google Workspace) by hijacking those session tokens."
ShadyPanda acquired or published benign Chrome and Edge extensions and kept them clean for years to accumulate trust and millions of installs, then silently updated them to deliver malware. Approximately 4.3 million users installed the compromised add-ons, which gained featured and verified store badges to reinforce confidence. Automatic background updates allowed attackers to push malicious code without user awareness. Activated in mid-2024, the extensions provided a remote code execution framework that ran arbitrary JavaScript with full browser access, enabling URL and keystroke monitoring, script injection, browsing-data exfiltration, and session cookie and token theft that can impersonate SaaS accounts.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]