While some consumers spend hours researching must-add Google Chrome extensions, most don't consider which ones they need to delete. Following a seven-year cyberhacking campaign that infected roughly 4.3 million Chrome and Edge browsers with spyware, it might be time to do just that. Dubbed ShadyPanda by the cybersecurity research firm Koi Security, which first reported the scheme in December 2025, the group operated several legitimate browser extensions for years before weaponizing them to collect its users web browsing data. According to Koi Security, the Chinese hacking group is a quintessential example of how malicious actors attack popular marketplaces like Google and Microsoft Edge, accumulating customers before pushing through software updates that infect victims with dangerous malware. Following the report, several additional extensions involved in the project were publicly identified by the Hacker News:

Clean Master: the best Chrome Cache Cleaner

Speedtest Pro-Free Online Internet Speed Test

BlockSite

Address bar search engine switcher

SafeSwift New Tab

Infinity V+ New Tab

OneTab Plus:Tab Manage & Productivity

WeTab 新标签页

Infinity New Tab for Mobile

Infinity New Tab (Pro)

Infinity New Tab

Dream Afar New Tab

Download Manager Pro

Galaxy Theme Wallpaper HD 4k HomePage

Halo 4K Wallpaper HD HomePage

When Koi broke the story, many of these applications were still active in both Google Chrome and Microsoft Edge browser stores. However, according to a statement given to The Hacker News, Microsoft stated that it had removed all the extensions identified in the scam. Following the scheme, experts suggest users remove any unrecognized browser extensions, review privacy permissions, and focus only on trusted developers. For the industry writ large, the case is a fascinating look into an ever-evolving threat landscape, providing key lessons for preventing future attacks.