KOI says ShadyPanda hijacked Chrome and Edge extensions, linking WeTab and Infinity V+ to data harvesting, cookie theft and code updates impacting 4.3M users.
© RusPhotoBank
WeTab and Infinity V+ are under scrutiny after cybersecurity specialists said these and several other Chrome extensions may have been covertly hijacking browsers and harvesting sensitive data for years. According to KOI, roughly 4.3 million Chrome and Microsoft Edge users were caught up in the campaign, which leaned not on phishing or social engineering but on silent updates to already popular add‑ons.
KOI attributes the operation to a group it refers to as ShadyPanda. The playbook was disarmingly pragmatic: publish fully functional extensions, build audience, ratings and downloads over time, then slip in updates carrying malicious code. Because extension stores tend to scrutinize submissions at launch more closely than later changes, tools that looked trustworthy could quietly linger for a long time. It’s a patience game that exploits a well‑known blind spot.
KOI’s report outlines several incidents, including two campaigns in 2023. In the first, dozens of extensions posing as wallpaper packs and handy utilities allegedly tracked user behavior and altered page content on sites like eBay, Amazon and Booking.com by injecting affiliate tags and trackers to monetize purchases and traffic data. In the second episode, the malicious functions were linked to Infinity V+: the extension redirected searches to an external resource, captured cookies, logged what users typed into the search bar and exfiltrated the data to outside servers.
KOI also describes a “first stage” in which five extensions received a backdoor enabling remote code execution, affecting about 300,000 users. Some had been listed since 2018–2019 and even carried badges suggesting they were recommended; in mid‑2024, after installations climbed, they allegedly received an update that added the backdoor. The module could regularly fetch commands, download arbitrary JavaScript, run it with browser API privileges and inject malicious HTTPS content into any site. It also harvested browsing history, referrers, timestamps, persistent identifiers, a full browser fingerprint and other data, while attempting to keep a low profile if developer mode was enabled.
The most extensive part of the research focuses on a “second stage.” KOI says another five extensions from the same developer made it into the Edge store and collectively surpassed 4 million installs, with two of them potentially initiating the installation of malware. The new‑tab extension WeTab drew the most attention: it is credited with about 3 million installs and with covertly sending telemetry, including visited URLs, search results, mouse clicks, the browser fingerprint, on‑page interactions and storage access events. The data, KOI says, was funneled across numerous domains, and the update mechanism meant compromised browsers could be turned into controllable nodes for further attacks at any time.
All of this lays bare how fragile the trust model around extensions really is: even a popular, well‑reviewed add‑on can change character after an update. The practical advice is simple but worth repeating—audit your installed extensions, remove anything you don’t need, review permissions carefully and, if the browser starts acting oddly, run a system check and change passwords, especially if an extension may have accessed cookies and your browsing history.