Millions of users were unknowingly tracked in a 7‑year Chrome and Edge malware scheme — extensions turned into spyware

Microsoft Edge and Google Chrome (Image credit: Google, Microsoft)

Disclaimer

Enjoy our content? Make sure to set Windows Central as a preferred source in Google Search, and find out why you should so that you can stay up-to-date on the latest news, reviews, features, and more.

As reported on by TheRegister, a user operating under the name ShadyPanda began uploading harmless extensions in 2018. These early versions behaved like standard tools, which helped build trust over seven years. Once the install base grew into the millions, the extensions received malicious updates that turned them into surveillance tools. Koi Security uncovered the activity while analysing extension behaviour and later confirmed the scale of the incident in its report.

Another extension, WeTab, along with several others from the same publisher, reached more than 3 million installs across Edge and Chrome.

The threat is now removed, but users should still review their browsers

Screenshot of Microsoft Edge open to Bing (Image credit: Windows Central)

The malicious update also allowed the extensions to capture a wide range of browsing data. This included every URL you visited, your full browsing history, and any search queries typed into the browser. It also logged mouse clicks, collected detailed browser fingerprints, and tracked how you moved between sites through HTTP referrer data.

Google has confirmed that none of the malicious extensions remain on the Chrome Web Store, and Microsoft has also confirmed their removal from the Edge add-on store. However, taking them down from the store does not remove them from your browser, so users should still check what is installed.

On Chrome and Edge, look for any extensions published by Starlab Technology or linked to WeTab. It is also worth removing anything you do not recognise or no longer use.

Updating Chrome or Edge is another crucial step. Installing the latest version helps the browser apply new security checks to extension behaviour and can trigger built-in blocklists that disable anything removed or flagged. A fresh update also makes sure no cached version of an old extension is still active.

The malware also stores persistent identifiers in chrome.storage.sync. These UUIDs can follow you across devices, so your profile may stay trackable even if you reinstall the browser. To fully remove them, users should clear their sync data after uninstalling the affected extensions.

Click to follow Windows Central on Google News

Follow Windows Central on Google News to keep our latest news, insights, and features at the top of your feeds!

Adam is a Psychology Master’s graduate passionate about gaming, community building, and digital engagement. A lifelong Xbox fan since 2001, he started with Halo: Combat Evolved and remains an avid achievement hunter. Over the years, he has engaged with several Discord communities, helping them get established and grow. Gaming has always been more than a hobby for Adam—it’s where he’s met many friends, taken on new challenges, and connected with communities that share his passion.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.