In December 2025, researchers uncovered a significant cybercrime operation named ShadyPanda, which compromised popular Chrome and Edge browser extensions. Over seven years, this group either published or acquired benign extensions, allowing them to build trust and gain millions of installs. They then flipped these extensions into malware through silent updates, affecting around 4.3 million users. Once activated, these extensions turned into a remote code execution framework, enabling attackers to monitor user activity, steal session cookies, and impersonate accounts on services like Microsoft 365 and Google Workspace. The campaign highlights a serious threat to SaaS security. Malicious browser extensions can gain access to sensitive user data without triggering typical security measures like multi-factor authentication. Organizations often allow employees to install extensions without strict oversight, blurring the lines between endpoint and cloud security. This situation calls for stronger governance over browser extensions, similar to how companies manage third-party cloud applications. To mitigate these risks, organizations should implement strict extension allow lists, regularly audit installed extensions, and treat extension permissions with the same caution as OAuth access. Monitoring for unusual extension behavior is essential, as silent updates can catch users off guard. Including extension management in overall security strategies is critical to prevent incidents like ShadyPanda from happening again.