Enjoy our content? Make sure to set Windows Central as a preferred source in Google Search, and find out why you should so that you can stay up-to-date on the latest news, reviews, features, and more.
As reported on by TheRegister, a user operating under the name ShadyPanda began uploading harmless extensions in 2018. These early versions behaved like standard tools, which helped build trust over seven years. Once the install base grew into the millions, the extensions received malicious updates that turned them into surveillance tools. Koi Security uncovered the activity while analysing extension behaviour and later confirmed the scale of the incident in its report.
The extensions were positioned as productivity add-ons, and some even earned featured and verified status on both Chrome and Edge. More than 4.3 million users were affected across the two browsers. One of the main examples, Clean Master, had over 200,000 installs on its own.
Another extension, WeTab, along with several others from the same publisher, reached more than 3 million installs across Edge and Chrome.
The threat is now removed, but users should still review their browsers
The malicious update also allowed the extensions to capture a wide range of browsing data. This included every URL you visited, your full browsing history, and any search queries typed into the browser. It also logged mouse clicks, collected detailed browser fingerprints, and tracked how you moved between sites through HTTP referrer data.
Google has confirmed that none of the malicious extensions remain on the Chrome Web Store, and Microsoft has also confirmed their removal from the Edge add-on store. However, taking them down from the store does not remove them from your browser, so users should still check what is installed.
On Chrome and Edge, look for any extensions published by Starlab Technology or linked to WeTab. It is also worth removing anything you do not recognise or no longer use.
Updating Chrome or Edge is another crucial step. Installing the latest version helps the browser apply new security checks to extension behaviour and can trigger built-in blocklists that disable anything removed or flagged. A fresh update also makes sure no cached version of an old extension is still active.
The malware also stores persistent identifiers in chrome.storage.sync. These UUIDs can follow you across devices, so your profile may stay trackable even if you reinstall the browser. To fully remove them, users should clear their sync data after uninstalling the affected extensions.
Follow Windows Central on Google News to keep our latest news, insights, and features at the top of your feeds!
