"A seven-year malicious browser extension campaign infected 4.3 million Google Chrome and Microsoft Edge users with malware, including backdoors and spyware sending people's data to servers in China. And, according to Koi researchers, five of the extensions with more than 4 million installs are still live in the Edge marketplace."
"The attackers, which Koi named ShadyPanda, played the long game: publishing legitimate extensions, accumulating thousands or sometimes millions of downloads over several years, and then pushing a malware-laden update that auto updates across the entire user base. Because both marketplaces review extensions upon submission - it's not an ongoing process - these seemingly stellar productivity tools, some with Featured and Verified status alongside glowing user reviews and high install counts, were allowed to track people's behavior and steal sensitive info silently for years."
""No phishing. No social engineering. Just trusted extensions with quiet version bumps that turned productivity tools into surveillance platforms," the threat hunting team said in a Monday blog. Microsoft did not respond to The Register's requests for comment. A Google spokesperson confirmed none of the extensions are available on the Chrome Web Store, and we are aware that Google screens every single update to extensions in the Chrome store, no matter how minor the change."
The campaign spanned seven years and infected about 4.3 million Chrome and Edge users with backdoors and spyware that sent data to servers in China. Attackers named ShadyPanda published legitimate extensions, built large install bases, and later pushed malicious updates that auto-updated across installed users. Marketplace reviews occurred only at submission rather than continuously, allowing featured and verified extensions with positive reviews to run malicious versions for years. Multiple campaign phases were tracked and at least two campaigns remained active. One campaign pushed a remote-code-execution backdoor via five extensions, infecting roughly 300,000 users, including extensions with Featured status.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]