In early December 2025, security researchers detailed a long-running cybercrime campaign that had quietly turned popular Chrome and Edge browser extensions into a large-scale compromise channel.

A threat actor tracked as ShadyPanda operated on a multi-year timeline, publishing or buying seemingly benign extensions, leaving them clean for years to build user trust and rack up installs, and then converting them into malware through silent updates. Over time, roughly 4.3 million users installed these initially legitimate add-ons, which later pivoted into spyware and browser-based backdoors.

From a defender’s perspective, this is effectively a browser-extension supply-chain compromise.

The ShadyPanda operators even obtained featured and verified status for some extensions in the official Chrome Web Store and Microsoft Edge Add-ons catalog, further lowering user suspicion. Because extension updates are delivered and installed automatically in the background, the adversaries could ship malicious payloads without any user interaction or obvious prompts.

Once the malicious updates were pushed in mid-2024, the weaponized extensions acted as an in-browser remote code execution (RCE) framework. They could fetch and execute arbitrary JavaScript with broad access to browser data and capabilities. This enabled a wide range of espionage and manipulation: tracking URLs and keystrokes, injecting hostile scripts into pages, and exfiltrating browsing data and credentials.

One of the most damaging behaviors was theft of session cookies and tokens – the same artifacts web apps use to maintain authenticated sessions. With those in hand, the extensions could impersonate full SaaS accounts (for example, Microsoft 365 or Google Workspace) by riding existing sessions rather than breaking authentication.

Why Browser Extensions Are a SaaS Security Nightmare

For SOC and SaaS security teams, ShadyPanda is a concrete case study. It shows that a hostile browser extension can function as an embedded intruder with effective keys to a user’s SaaS accounts. If an extension captures a user’s session cookie or token, it can effectively unlock that user’s access to Slack, Salesforce, or any other web application where that browser session is active.

At this scale, millions of compromised session tokens could translate into unauthorized access to corporate email, documents, collaboration tools, and other data – often without tripping traditional controls. Standard identity protections like MFA are sidestepped because the session is already established and the extension is simply reusing it.

The exposure is not limited to a single endpoint owner. Many organizations still let users install extensions at will, without the vetting they’d apply to native software. Yet these extensions can see cookies, local storage, cloud auth sessions, active page content, and downloaded files – in many cases, everything a user sees in their browser.

This creates a direct overlap between endpoint and cloud security responsibilities. A malicious extension runs on an endpoint but immediately impacts cloud accounts and data, blurring the line between device security and identity/SaaS security. ShadyPanda underscores why SOC teams need to treat the browser itself as part of the SaaS attack surface and instrument it accordingly.

Steps to Reduce Browser Extension Risk

With that context, what can organizations do to limit the blast radius of ShadyPanda-style activity? Below is a practical, operations-focused checklist to harden your environment against malicious browser extensions.

1. Enforce Extension Allow Lists and Governance

Begin by asserting control over which extensions are allowed to execute in the environment. Run an inventory across managed browsers (and, where feasible, BYOD endpoints) to identify what’s installed and remove extensions that are unused, unvetted, or expose excessive risk.

Require clear business justification for extensions that request broad or sensitive permissions (for example, extensions that can read data on all websites). Use enterprise browser management capabilities to enforce an allow list so that only reviewed extensions can be added. This creates a default-deny posture for new or unknown extensions and reduces the long tail of opportunistic installs.

Do not assume that popularity implies safety; ShadyPanda leveraged well-known, long-trusted extensions as delivery vehicles. Treat every extension as untrusted until it has passed a defined security review and approval workflow.

2. Treat Extension Access Like OAuth Access

Adjust your mental model so that browser extensions are handled more like third-party SaaS or OAuth apps in terms of the permissions they receive. In practice, this means folding extension oversight into existing identity and access controls.

Just as you maintain a catalog of sanctioned OAuth integrations, maintain one for browser extensions in use. Map what data sets and actions each extension can realistically reach – for example, if an extension can view all web traffic, it can likely view SaaS application data in transit; if it can read cookies, it can often replay or hijack sessions for any associated services.

Since malicious extensions can capture and reuse session tokens, identity detection and response tooling should watch for indicators of session takeover: for instance, alert on abnormal token use from distinct locations, or on access patterns that appear to skip normal MFA checks.

The operational goal is to manage extensions with the same rigor as any other app granted access to sensitive data. Minimize extension permissions wherever you can, and when users change roles or leave, ensure that high-risk extensions are removed just as you would revoke access to unnecessary SaaS or OAuth applications.

3. Audit Extension Permissions Regularly

Make extension assessment a standing control, similar to periodic access reviews or SaaS application audits. On a recurring cadence, enumerate extensions and associated permissions across the fleet.

Focus on what each extension can read or modify. For each one, validate: Is there still a valid business need? Have the permissions expanded? Has publisher identity, ownership, or branding shifted?

Adversaries frequently acquire benign extensions or insert new maintainers before shipping weaponized updates. Reviewing publisher details and release history can help surface anomalies before they translate into incidents.

Also, flag any extension that suddenly requests broader permissions than previous versions – that’s often an early indicator that the extension has changed hands or intent.

4. Monitor for Suspicious Extension Behavior

Because browser ecosystems silently auto-update extensions, a previously trusted add-on can turn malicious in a single release with no explicit user prompt. SOC teams should therefore deploy monitoring geared towards detecting that transition.

This should combine technical telemetry with user-facing signals.

On the technical side, collect and review data about extension life cycle events and behavior: track new installations, updates, removals, and anomalous network activity from extensions (such as persistent communication with unfamiliar external infrastructure).

Some organizations parse browser logs or leverage endpoint agents to detect unexpected changes to extension files or configurations. Where possible, consider gating or staging extension updates – for example, rolling updates to a pilot group before broad rollout.

On the user side, train employees to raise tickets when a long-standing extension changes behavior (new UI elements, unexpected ads or pop-ups, unexplained slowness). These soft signals can be tied into your triage process to narrow the gap between a malicious update going live and your team containing it.

Bridging Endpoint and SaaS Security (How Reco Can Help)

ShadyPanda illustrates that attackers do not always need exploits to gain meaningful access; in many cases, patience, user trust, and unmonitored browser extensions are enough. For SOC teams, the takeaway is clear: browser extensions are part of the attack surface and must be monitored like any other high-privilege component.

The browser effectively operates as a high-value endpoint in front of your SaaS stack, which means extension governance and monitoring should be incorporated into your broader detection and response strategy. By enforcing allow lists, reviewing permissions, tracking updates, and treating extensions as powerful third-party apps, you can significantly reduce the likelihood that an extension becomes the initial access vector.

From there, consider how modern SaaS security tooling can help operationalize this at scale.

New classes of dynamic SaaS security platforms are emerging to give organizations continuous visibility into SaaS usage patterns, including risky connected apps and browser extensions, and to provide identity-aware detections that tie extension behavior to account activity.

With suitable SaaS-aware telemetry, you can gain consolidated visibility into extensions across your estate and surface suspicious behavior in near real time. Reco can help link browser-side risks to SaaS account activity, giving SOC teams a single view to correlate extension events, identity anomalies, and data access. By putting these controls in place and using platforms like Reco to automate discovery, monitoring, and detection, security operations can stay ahead of the next ShadyPanda-style campaign.

Request a Demo: Get Started With Reco.

Note: This article is expertly written and contributed by Gal Nakash, Co-founder & CPO of Reco. Gal previously served as a Lieutenant Colonel in the Israeli Prime Minister’s Office and brings a hands-on background as a security researcher and offensive operator, leading teams across multiple cybersecurity domains with a focus on the human element.

Found this article useful for your security team? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.