A recent sophisticated attack campaign has compromised over 16 Chrome browser extensions, putting more than 600,000 users at risk of data theft and credential theft. The attack targeted extension publishers through phishing emails that impersonated official communications from the Chrome Web Store. These deceptive emails aimed to create a sense of urgency, convincing developers to grant access to malicious applications, allowing attackers to inject malicious code into legitimate extensions.
Cyberhaven, a cybersecurity firm focused on data loss prevention, was one of the affected organizations and the first to publicly disclose the breach. The attackers successfully phished a company employee on December 24 to gain access to their Chrome Web Store admin credentials. With these credentials, the attackers published a malicious update to Cyberhaven’s popular Chrome extension on Christmas Day. This update, labeled version 24.10.4, was designed to steal sensitive user data, including passwords, session tokens, Facebook account credentials, and cookies.
The malicious extension remained active for more than 31 hours before being detected and removed from the Chrome Web Store. Cyberhaven’s security team acted swiftly upon detection, removing the compromised package within an hour. The company also released a legitimate update (version 24.10.5), engaged Mandiant to develop an incident response plan, and informed law enforcement agencies for further investigation. Fortunately, Cyberhaven confirmed that its systems, including CI/CD processes and code signing keys, were not compromised in the attack.
In response to the breach, Cyberhaven advised its customers to revoke and rotate passwords, especially text-based credentials like API tokens, and review their logs for any signs of malicious activity. The company warned about the possibility of stolen session tokens and cookies bypassing security measures, granting hackers access to logged-in accounts without requiring a password or two-factor code.
Following the Cyberhaven breach, security researchers identified several other compromised extensions showing similar malicious behavior. These extensions, spanning across various categories such as AI assistants, VPNs, and productivity tools, were observed communicating with the same command-and-control servers. The extent of the attack suggests a well-organized large-scale operation, prompting organizations to prioritize the security of their browser extensions. As of now, the identity of the attacker behind this campaign remains unknown.
This incident underscores the importance of staying vigilant against phishing attacks and continuously monitoring extension security. Organizations are advised to revoke unnecessary permissions, monitor extension logs for suspicious activities, and implement robust security measures to prevent similar breaches in the future. Stay tuned for more updates as investigations into this widespread attack continue to unfold.