Some seemingly “normal” browser extensions for Google Chrome and Microsoft Edge have been caught tracking users and acting like backdoors – meaning they can collect data and potentially run harmful code inside the browser. Security researchers at Koi Security tied the activity to a threat actor they call Shady Panda, which appears to have operated for years by building trust first, then turning extensions malicious through updates.
This matters for Twin Cities organizations because browsers are where your team logs into email, banking, vendor portals, Microsoft 365, CRMs, and more. A compromised browser can become a direct path to business data.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
What happened (in plain English)
Researchers reported that over 100+ extensions were used to:
- Profile users (websites visited, searches, click patterns)
- Read cookie/session data that can uniquely identify users – and in some cases be used to hijack sessions
- Redirect searches (browser hijacking behavior)
- Potentially enable remote execution of malicious JavaScript via the extension update mechanism (a “backdoor” capability)
Some of these extensions reportedly built credibility over time – earning lots of installations and appearing legitimate – before being weaponized later.
Don’t Let a Browser Extension Become Your Breach
What users might notice
If an affected extension is present, you may see:
- Search results changing or routing through unfamiliar sites
- Strange ads or affiliate redirects on shopping/travel websites
- Browsers feeling slower than normal
- Security tools flagging unusual browser activity
But important, many malicious extensions try to stay quiet.
What Google and Microsoft have said
- Google confirmed the malicious extensions are not available on the Chrome Web Store.
- Microsoft stated it removed extensions identified as malicious from the Edge Add-ons store once aware.
What Vodigy Networks recommends for Twin Cities SMBs (actionable steps)
1) Do an extension cleanup (today)
- Remove any extension your employees don’t absolutely need.
- Pay extra attention to “new tab,” “productivity,” “coupon,” “PDF,” “wallpaper,” and “search” extensions – these are commonly abused.
2) Lockdown installs going forward
- For managed devices, enforce an approved extension list (allow-list), so users can’t install random add-ons.
3) If you suspect exposure: assume credentials may be at risk
- Force sign-out and reset passwords for key services (Microsoft 365, Google Workspace, banking, admin portals).
- Verify MFA is enabled everywhere.
- Review sign-in logs for unusual locations/devices.<br>
4) Add a browser security standard
- “No extension unless business justified.”
- Quarterly extension audits
- Centralized policy management (especially for hybrid teams across Minneapolis–St. Paul)
Local help: want us to check your environment?
Vodigy Networks can help Twin Cities businesses quickly:
- audit company browsers/extensions across managed endpoints,
- apply allow-list policies,
- verify Microsoft 365 sign-ins,
- and tighten baseline security so a browser add-on can’t become your weakest link.
