Cybersecurity firm Cyberhaven was the first known victim to report this Chrome extension compromise. On December 27, Cyberhaven revealed that attackers injected malicious code into their browser extension, connecting to a Command and Control (C&C) server. The breach occurred after a phishing attack on a Cyberhaven employee, granting access to their Chrome Web Store account. The hacker uploaded a malicious version of the extension, which was removed within 60 minutes.
The attack targeted Chrome browsers with auto-updates, potentially exfiltrating cookies and authenticated session tokens. Cyberhaven advised customers to update to version 24.10.5 or newer, revoke passwords lacking FIDOv2, and review activity logs.
Cyberhaven suspects this attack is part of a larger campaign targeting Chrome extension developers, specifically aiming at social media advertising and AI platform logins.
It wasn’t just Cyberhaven that was targeted by hackers. In this Reuters article, they site a wide variety of Chrome Extension providers having been targeted and compromised to release hackers versions of Chrome Extensions over the holidays when cybersecurity teams are on vacation and the maximum damage can be done. CyberNews reported 25 extensions impacting 2 million people were potentially impacted by this string of targeted attacks.
Chrome extensions are often granted extensive permissions to access sensitive data, such as:
A compromised extension can leverage these permissions to cause significant harm, such as stealing financial details, spreading malware, or compromising corporate networks.
Key Takeaway: A single compromised extension can turn your browser into a gateway for attackers.
Here’s an initial list or reported extensions alleged to have been compromised. If you operate one of these, either upgrade to a known good version or disable and uninstall until a known good version has been released.