A threat actor named ShadyPanda has been identified as responsible for a seven-year browser extension campaign that has infected 4.3 million Chrome and Edge users. The campaign includes two active operations: a 300,000-user RCE backdoor and a 4-million-user spyware operation. ShadyPanda's extensions were featured and verified by Google, granting instant trust and massive distribution. The actor's strategy evolved from simple affiliate fraud to sophisticated browser control and long-term trust building. The malware collects extensive user data, including browsing history, search queries, and mouse clicks, transmitting it to servers in China. The success of this campaign highlights vulnerabilities in browser marketplace security models and the potential for widespread exploitation through trusted update mechanisms.