A long-running campaign by a group identified as ShadyPanda has infected over 4.3 million users of Google Chrome and Microsoft Edge through malicious browser extensions. These extensions initially appeared legitimate, accumulating millions of downloads before being updated with malware that operates backdoors and spyware. Five extensions, with more than 4 million installs, remain active in the Microsoft Edge store, allowing for extensive surveillance and data theft. The malware can execute arbitrary JavaScript, inject malicious content into websites, and send detailed user data—such as browsing history and fingerprints—to servers in China. One notable extension, Clean Master, was downloaded over 300,000 times before its malicious update spread the backdoor to users. Koi researchers noted that another active extension, WeTab, masquerades as a productivity tool while tracking extensive user data and sending it to multiple domains, including Baidu servers. ShadyPanda also conducted previous campaigns, disguising extensions as wallpaper or productivity apps to monetize user browsing data through affiliate tracking. Another campaign involved a tool that hijacked searches and logged keystrokes. These incidents highlight significant gaps in how browser marketplaces monitor extensions after their initial approval, allowing malicious actors to exploit trusted tools over an extended period. After the article's publication, Microsoft confirmed the removal of all identified malicious extensions from its Edge Add-on store.