A recently uncovered campaign known as ShadyPanda revealed how trusted Chrome and Edge browser extensions can be quietly weaponized over time. For seven years, the attackers behind ShadyPanda used seemingly harmless extensions—some with over 4 million installs—to manipulate browser activity, redirect searches, collect behavioral data, and inject malicious scripts into web sessions.While browser extensions cannot directly access files stored inside SaaS applications, they operate within the user’s authenticated browser environment. This allows them to observe browsing behavior, redirect users to malicious sites, interfere with session flows, and influence how users interact with enterprise SaaS applications. When extensions possess high-risk permissions such as cookies, tabs, or webRequest, they introduce meaningful exposure to organizations.ShadyPanda demonstrates why extensions are part of today’s SaaS supply chain—and why continuous visibility and monitoring are critical.Fig: ShadyPanda Attack ChainHow Zscaler SSPM helps identify and mitigate risks like ShadyPandaZscaler SSPM provides the capabilities organizations need to detect risky browser extensions early, understand their impact, and take appropriate action through governance and endpoint controls.1. Comprehensive visibility into browser extensionsZscaler maintains a large catalog of SaaS apps, third-party integrations, and browser extensions enriched with:Publisher and version historyRequested permissionsBehavioral and risk attributesThreat intelligence indicatorsAs soon as users install an extension—regardless of how benign it appears—it is surfaced in third-party plugin Inventory, categorized by risk (e.g., Potentially Harmful, Over-Privileged, Dormant).ShadyPanda extensions exhibited high-risk permission patterns early on, which Zscaler would have highlighted for security teams to review.The following screenshot shows how Zscaler solution identifies browser extensions such as “Clear Master” in the App Inventory, highlighting their permissions, risk attributes, and findings. This gives security teams immediate visibility into potentially harmful or over-privileged extensions present in their environment. 2. Continuous monitoring for changes in permissions, behavior, or riskShadyPanda’s most dangerous activity began years after installation, delivered through silent updates.Zscaler SSPM continuously monitors extensions for:Increasing risk scoresNew permissions or expanded accessUpdated versions that introduce behavioral changesEmerging threat intelligence hitsIf an extension suddenly requests broader access—such as the ability to read cookies or intercept web requests—Zscaler generates an alert and notify that app risk has increasedThis early signal enables teams to investigate the extension and adjust internal controls before malicious behavior escalates.3. Understanding true impact through user and SaaS contextZscaler goes beyond identifying risky extensions—it correlates extension presence with:Which users installed itWhat SaaS applications those users accessPrivilege levels such as admin rolesExisting SaaS misconfigurations that could amplify exposureThis provides a clear blast-radius view:An extension installed by a low-privilege user may represent minimal riskThe same extension installed by a global admin interacting with critical SaaS apps requires immediate attentionZscaler gives organizations the context needed to prioritize action and strengthen governance. 4. Enabling customers to take targeted, policy-driven actionWith clear risk categorization, drift insights, and user/SaaS correlations, customers can:Update browser and endpoint policiesRestrict certain categories of extensionsRequire security review for extensions requesting sensitive permissionsRemove or disable unapproved extensions through existing IT controlsEducate users and enforce internal governance policiesZscaler provides the intelligence and prioritization needed to make these actions timely and effective.Strengthen Your SaaS Supply Chain SecurityShadyPanda reinforces that browser extensions are part of the modern SaaS ecosystem—and that risks can evolve long after initial installation. Zscaler SSPM equips organizations with the visibility, context, and continuous monitoring required to surface these risks early and take action before attackers gain footholds.To learn how Zscaler can help assess and secure your SaaS and extension landscape, contact your Zscaler representative for a demo, or request one here. This blog post has been created by Zscaler for informational purposes only and is provided “as is” without any guarantees of accuracy, completeness or reliability. Zscaler assumes no responsibility for any errors or omissions or for any actions taken based on the information provided. Any third-party websites or resources linked in this blog post are provided for convenience only, and Zscaler is not responsible for their content or practices. All content is subject to change without notice. By accessing this blog, you agree to these terms and acknowledge your sole responsibility to verify and use the information as appropriate for your needs.
[#item_full_content] A recently uncovered campaign known as ShadyPanda revealed how trusted Chrome and Edge browser extensions can be quietly weaponized over time. For seven years, the attackers behind ShadyPanda used seemingly harmless extensions—some with over 4 million installs—to manipulate browser activity, redirect searches, collect behavioral data, and inject malicious scripts into web sessions.While browser extensions cannot directly access files stored inside SaaS applications, they operate within the user’s authenticated browser environment. This allows them to observe browsing behavior, redirect users to malicious sites, interfere with session flows, and influence how users interact with enterprise SaaS applications. When extensions possess high-risk permissions such as cookies, tabs, or webRequest, they introduce meaningful exposure to organizations.ShadyPanda demonstrates why extensions are part of today’s SaaS supply chain—and why continuous visibility and monitoring are critical.Fig: ShadyPanda Attack ChainHow Zscaler SSPM helps identify and mitigate risks like ShadyPandaZscaler SSPM provides the capabilities organizations need to detect risky browser extensions early, understand their impact, and take appropriate action through governance and endpoint controls.1. Comprehensive visibility into browser extensionsZscaler maintains a large catalog of SaaS apps, third-party integrations, and browser extensions enriched with:Publisher and version historyRequested permissionsBehavioral and risk attributesThreat intelligence indicatorsAs soon as users install an extension—regardless of how benign it appears—it is surfaced in third-party plugin Inventory, categorized by risk (e.g., Potentially Harmful, Over-Privileged, Dormant).ShadyPanda extensions exhibited high-risk permission patterns early on, which Zscaler would have highlighted for security teams to review.The following screenshot shows how Zscaler solution identifies browser extensions such as “Clear Master” in the App Inventory, highlighting their permissions, risk attributes, and findings. This gives security teams immediate visibility into potentially harmful or over-privileged extensions present in their environment. 2. Continuous monitoring for changes in permissions, behavior, or riskShadyPanda’s most dangerous activity began years after installation, delivered through silent updates.Zscaler SSPM continuously monitors extensions for:Increasing risk scoresNew permissions or expanded accessUpdated versions that introduce behavioral changesEmerging threat intelligence hitsIf an extension suddenly requests broader access—such as the ability to read cookies or intercept web requests—Zscaler generates an alert and notify that app risk has increasedThis early signal enables teams to investigate the extension and adjust internal controls before malicious behavior escalates.3. Understanding true impact through user and SaaS contextZscaler goes beyond identifying risky extensions—it correlates extension presence with:Which users installed itWhat SaaS applications those users accessPrivilege levels such as admin rolesExisting SaaS misconfigurations that could amplify exposureThis provides a clear blast-radius view:An extension installed by a low-privilege user may represent minimal riskThe same extension installed by a global admin interacting with critical SaaS apps requires immediate attentionZscaler gives organizations the context needed to prioritize action and strengthen governance. 4. Enabling customers to take targeted, policy-driven actionWith clear risk categorization, drift insights, and user/SaaS correlations, customers can:Update browser and endpoint policiesRestrict certain categories of extensionsRequire security review for extensions requesting sensitive permissionsRemove or disable unapproved extensions through existing IT controlsEducate users and enforce internal governance policiesZscaler provides the intelligence and prioritization needed to make these actions timely and effective.Strengthen Your SaaS Supply Chain SecurityShadyPanda reinforces that browser extensions are part of the modern SaaS ecosystem—and that risks can evolve long after initial installation. Zscaler SSPM equips organizations with the visibility, context, and continuous monitoring required to surface these risks early and take action before attackers gain footholds.To learn how Zscaler can help assess and secure your SaaS and extension landscape, contact your Zscaler representative for a demo, or request one here. This blog post has been created by Zscaler for informational purposes only and is provided “as is” without any guarantees of accuracy, completeness or reliability. Zscaler assumes no responsibility for any errors or omissions or for any actions taken based on the information provided. Any third-party websites or resources linked in this blog post are provided for convenience only, and Zscaler is not responsible for their content or practices. All content is subject to change without notice. By accessing this blog, you agree to these terms and acknowledge your sole responsibility to verify and use the information as appropriate for your needs.
