ShadyPanda and the Seven-Year Browser Extension Breach: How Zscaler SSPM Strengthens SaaS Supply Chain Security

A recently uncovered campaign known as ShadyPanda revealed how trusted Chrome and Edge browser extensions can be quietly weaponized over time. For seven years, the attackers behind ShadyPanda used seemingly harmless extensions—some with over 4 million installs—to manipulate browser activity, redirect searches, collect behavioral data, and inject malicious scripts into web sessions.

While browser extensions cannot directly access files stored inside SaaS applications, they operate within the user’s authenticated browser environment. This allows them to observe browsing behavior, redirect users to malicious sites, interfere with session flows, and influence how users interact with enterprise SaaS applications. When extensions possess high-risk permissions such as cookies, tabs, or webRequest, they introduce meaningful exposure to organizations.

ShadyPanda demonstrates why extensions are part of today’s SaaS supply chain—and why continuous visibility and monitoring are critical.

Fig: ShadyPanda Attack Chain

How Zscaler SSPM helps identify and mitigate risks like ShadyPanda

Zscaler SSPM provides the capabilities organizations need to detect risky browser extensions early, understand their impact, and take appropriate action through governance and endpoint controls.

1. Comprehensive visibility into browser extensions

Zscaler maintains a large catalog of SaaS apps, third-party integrations, and browser extensions enriched with:

• Publisher and version history
• Requested permissions
• Behavioral and risk attributes
• Threat intelligence indicators

As soon as users install an extension—regardless of how benign it appears—it is surfaced in third-party plugin Inventory, categorized by risk (e.g., Potentially Harmful, Over-Privileged, Dormant).
ShadyPanda extensions exhibited high-risk permission patterns early on, which Zscaler would have highlighted for security teams to review.The following screenshot shows how Zscaler solution identifies browser extensions such as “Clear Master” in the App Inventory, highlighting their permissions, risk attributes, and findings. This gives security teams immediate visibility into potentially harmful or over-privileged extensions present in their environment.

2. Continuous monitoring for changes in permissions, behavior, or risk

ShadyPanda’s most dangerous activity began years after installation, delivered through silent updates.

Zscaler SSPM continuously monitors extensions for:

• Increasing risk scores
• New permissions or expanded access
• Updated versions that introduce behavioral changes
• Emerging threat intelligence hits

If an extension suddenly requests broader access—such as the ability to read cookies or intercept web requests—Zscaler generates an alert and notify that app risk has increased

This early signal enables teams to investigate the extension and adjust internal controls before malicious behavior escalates.

3. Understanding true impact through user and SaaS context

Zscaler goes beyond identifying risky extensions—it correlates extension presence with:

• Which users installed it
• What SaaS applications those users access
• Privilege levels such as admin roles
• Existing SaaS misconfigurations that could amplify exposure

This provides a clear blast-radius view:

• An extension installed by a low-privilege user may represent minimal risk
• The same extension installed by a global admin interacting with critical SaaS apps requires immediate attention

Zscaler gives organizations the context needed to prioritize action and strengthen governance.

4. Enabling customers to take targeted, policy-driven action

With clear risk categorization, drift insights, and user/SaaS correlations, customers can:

• Update browser and endpoint policies
• Restrict certain categories of extensions
• Require security review for extensions requesting sensitive permissions
• Remove or disable unapproved extensions through existing IT controls
• Educate users and enforce internal governance policies

Zscaler provides the intelligence and prioritization needed to make these actions timely and effective.

Strengthen Your SaaS Supply Chain Security

ShadyPanda reinforces that browser extensions are part of the modern SaaS ecosystem—and that risks can evolve long after initial installation. Zscaler SSPM equips organizations with the visibility, context, and continuous monitoring required to surface these risks early and take action before attackers gain footholds.

To learn how Zscaler can help assess and secure your SaaS and extension landscape, contact your Zscaler representative for a demo, or request one here.

This blog post has been created by Zscaler for informational purposes only and is provided "as is" without any guarantees of accuracy, completeness or reliability. Zscaler assumes no responsibility for any errors or omissions or for any actions taken based on the information provided. Any third-party websites or resources linked in this blog post are provided for convenience only, and Zscaler is not responsible for their content or practices. All content is subject to change without notice. By accessing this blog, you agree to these terms and acknowledge your sole responsibility to verify and use the information as appropriate for your needs.