At least five Chrome extensions were compromised in a coordinated cyberattack, during which a threat actor injected malicious code to steal sensitive user information.
One such attack targeted Cyberhaven, a data loss prevention company. The company disclosed the breach on December 24, following a phishing attack on an administrator account for the Google Chrome Web Store. Cyberhaven serves clients such as Snowflake, Motorola, Canon, Reddit, AmeriHealth, Cooley, IVP, Navan, DBS, Upstart, and Kirkland & Ellis.
The hacker gained access to an employee's account and published a malicious version (v24.10.4) of the Cyberhaven Chrome extension. This version included code capable of exfiltrating authenticated sessions and cookies to the attacker's domain, cyberhavenext[.]pro.
Cyberhaven's security team detected the breach and removed the malicious package within an hour. A clean version, v24.10.5, was released on December 26. In response, Cyberhaven recommended its users:
Upgrade to the latest version of the extension.
Revoke passwords that aren’t FIDOv2-compliant.
Rotate all API tokens.
Review browser logs to check for malicious activity.
Additional Compromised Extensions
Nudge Security researcher Jaime Blasco expanded the investigation, identifying other Chrome extensions compromised by the same attacker. These extensions included:
Internxt VPN – Free, encrypted VPN for secure browsing (10,000 users).
VPNCity – Privacy-focused VPN with global server coverage (50,000 users).
Uvoice – Rewards-based survey service (40,000 users).
ParrotTalks – Text search and note-taking tool (40,000 users).
The malicious code allowed the extensions to receive attacker-controlled commands. While Blasco identified more domains linked to potential victims, only these four extensions were confirmed to carry the malicious code.
Recommendations for Affected Users
Users of these extensions are advised to:
Remove the extensions or ensure they have been updated to a safe version published after December 26.
Confirm that the extension publisher has acknowledged and resolved the security issue.
If uncertain about the extension’s safety, take the following steps:
Uninstall the extension.
Reset all important account passwords.
Clear browser data, including cookies and cache.
Restore browser settings to their defaults.
Comments