4.3M Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign

https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign

100•janpio•2mo ago

Comments

ipnon•2mo ago

The builtin JavaScript interpreter is such a devious touch. No one blinks an eye at several MBs of extension data. That’s plenty of room to store arbitrary runtimes in, and then all the default browser runtime protections are pointless.

chatmasta•2mo ago

The runtime protections aren’t pointless. The interpreter makes it difficult to inspect the malicious code during execution, but it doesn’t circumvent any sandboxing of the browser.

payphonefiend•2mo ago

Painful read, this reads like it was written by AI.

OsrsNeedsf2P•2mo ago

Kept feeling like it was about to say something interesting, but by half way through nothing else was said

stevekemp•2mo ago

I flag posts like this.

mzs•2mo ago

simple human written summary: https://www.theregister.com/2025/12/01/chrome_edge_malicious...

VladVladikoff•2mo ago

The line is becoming very blurred to me, I did not really notice.

nenxk•2mo ago

This line was what tipped me off.

“This isn't malware with a fixed function. It's a backdoor.”

pogue•2mo ago

What about that sentence is sus to you? I'm not sure if I'm missing another AI tell I'm not aware of or what.

RicoElectrico•2mo ago

Seems very similar to not only X, but also Y

pogue•2mo ago

Is that a common attribute for LLMs to output into text?

sayamqazi•2mo ago

Yes there is a video on youtube "How to spot AI text"

pogue•2mo ago

I've watched that, but it was basically just the emdash thing.

burkaman•2mo ago

Seems to be company policy. They had another article here recently that was just as bad: https://news.ycombinator.com/item?id=45647853

gudzpoz•2mo ago

The WeTab / Infinity team has responded to this [1] (in Chinese). Basically, they argue that:

- The Clean Master extension has long been sold, and the malicious updated was not pushed by them.

- The other two mentioned extensions are not at all malicious. They collect use info for extension opt-out-able features and analytics (using Google Analytics and Baidu Analytics).

- They are communicating with the extension stores to restore their extension.

Let's hope it's not an AI company making AI-generated accusations.

[1] https://mp.weixin.qq.com/s/E8YQLWZFM2J7r5DZNSl47w & https://www.v2ex.com/t/1176484

gkbrk•2mo ago

The first point isn't meaningful from a user's perspective.

There's no difference between me trusting you and you pushing malware to me vs you selling your deploy access to a third party and the third party pushing malware to me.

Especially if selling the extension doesn't remove the old one from the browser automatically and reset it's rating to 0, download count to 0 and remove all the comments/reviews.

sionisrecur•2mo ago

I think in the chrome extension store you can't even change the email account attached to the extension. The only correct way to transfer an extension seems to be deleting it and having the new party create a new one.

huydotnet•2mo ago

I came to the article hoping to see the list of affected extensions, so I can check if I ever installed any of them. All I get was a list of extension ID at the very bottom of the post. Is this some sort of security practice to not promoting malicious packages or something?

notepad0x90•2mo ago

you can search your file system for those extension id's , it will be a directory name.

technion•2mo ago

Its more about the likely target audience: i can scan the whole enterprise and activate blocks with those ids.

huydotnet•2mo ago

That's my first thought, but it would still be helpful to have a list of names, since many people has switched browsers many times in the past, or used many different devices personally.

kanemcgrath•2mo ago

I made a list of the extension names here https://pastebin.com/eXb9GRjK

its mostly Homepage Wallpapers

gnatman•2mo ago

I was hoping to see a revenue estimate for injecting affiliate links on 4M browsers for 7 years… that must’ve been a lot of money!

pogue•2mo ago

So, has someone found or compiled a list of the actual extension names, not just IDs?

creatonez•2mo ago

> Koi researchers have identified a threat actor we're calling ShadyPanda

Is it that hard to come up with a name that isn't a generic orientalist trope?

First Proof

I squeezed a BERT sentiment analyzer into 1GB RAM on a $5 VPS

Kagi Translate

Building Interactive C/C++ workflows in Jupyter through Clang-REPL [video]

Tactical tornado is the new default

Full-Circle Test-Driven Firmware Development with OpenClaw

Automating Myself Out of My Job – Part 2

Google staff call for firm to cut ties with ICE

Dependency Resolution Methods

Crypto firm apologises for sending Bitcoin users $40B by mistake

Show HN: iPlotCSV: CSV Data, Visualized Beautifully for Free

There's no such thing as "tech" (Ten years later)

List of unproven and disproven cancer treatments

Me/CFS: The blind spot in proactive medicine (Open Letter)

Ask HN: What are the word games do you play everyday?

Show HN: Paper Arena – A social trading feed where only AI agents can post

TOSTracker – The AI Training Asymmetry

The Devil Inside GitHub

Show HN: Distill – Migrate LLM agents from expensive to cheap models

Show HN: Sigma Runtime – Maintaining 100% Fact Integrity over 120 LLM Cycles

Make a local open-source AI chatbot with access to Fedora documentation

Introduce the Vouch/Denouncement Contribution Model by Mitchellh

Software Factories and the Agentic Moment

The Neuroscience Behind Nutrition for Developers and Founders

Bang bang he murdered math {the musical } (2024)

A Night Without the Nerds – Claude Opus 4.6, Field-Tested

Could ionospheric disturbances influence earthquakes?

SpaceX's next astronaut launch for NASA is officially on for Feb. 11 as FAA clea

Show HN: One-click AI employee with its own cloud desktop

Show HN: Poddley – Search podcasts by who's speaking

First Proof

I squeezed a BERT sentiment analyzer into 1GB RAM on a $5 VPS

Kagi Translate

Building Interactive C/C++ workflows in Jupyter through Clang-REPL [video]

Tactical tornado is the new default

Full-Circle Test-Driven Firmware Development with OpenClaw

Automating Myself Out of My Job – Part 2

Google staff call for firm to cut ties with ICE

Dependency Resolution Methods

Crypto firm apologises for sending Bitcoin users $40B by mistake

Show HN: iPlotCSV: CSV Data, Visualized Beautifully for Free

There's no such thing as "tech" (Ten years later)

List of unproven and disproven cancer treatments

Me/CFS: The blind spot in proactive medicine (Open Letter)

Ask HN: What are the word games do you play everyday?

Show HN: Paper Arena – A social trading feed where only AI agents can post

TOSTracker – The AI Training Asymmetry

The Devil Inside GitHub

Show HN: Distill – Migrate LLM agents from expensive to cheap models

Show HN: Sigma Runtime – Maintaining 100% Fact Integrity over 120 LLM Cycles

Make a local open-source AI chatbot with access to Fedora documentation

Introduce the Vouch/Denouncement Contribution Model by Mitchellh

Software Factories and the Agentic Moment

The Neuroscience Behind Nutrition for Developers and Founders

Bang bang he murdered math {the musical } (2024)

A Night Without the Nerds – Claude Opus 4.6, Field-Tested

Could ionospheric disturbances influence earthquakes?

SpaceX's next astronaut launch for NASA is officially on for Feb. 11 as FAA clea

Show HN: One-click AI employee with its own cloud desktop

Show HN: Poddley – Search podcasts by who's speaking

4.3M Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign

Comments