Hackers recently infiltrated multiple Chrome browser extensions in a coordinated effort to steal data, with malicious code inserted as far back as mid-December. According to a Reuters report, the attack focused on stealing browser cookies and authentication sessions, targeting social media advertising and AI platforms. One affected company, Cyberhaven, detailed the attack in a blog post, revealing that the phishing campaign compromised its data protection extension.
Cyberhaven attributes the breach to a phishing email, explaining in a technical analysis that the attackers targeted Facebook Ads accounts. Security researcher Jaime Blasco suggested the attack might not have been aimed specifically at Cyberhaven but was part of a broader, indiscriminate effort. Blasco noted on X that VPN and AI-related extensions, such as Internxt VPN, VPNCity, Uvoice, and ParrotTalks, also contained the malicious code.
The attackers injected the code into Cyberhaven’s data loss prevention extension (version 24.10.4) on December 24th at 8:32 PM ET. Cyberhaven identified and removed the malicious code on December 25th by 7:54 PM ET, releasing a clean version (24.10.5) shortly after. However, the compromised extension remained active until December 25th at 9:50 PM ET.
Cyberhaven recommends that affected companies review their logs for unusual activity, revoke or rotate passwords, and adopt the FIDO2 multifactor authentication standard to prevent future breaches. The company initially alerted customers via email, with TechCrunch reporting on the incident Friday morning.
This incident highlights the growing sophistication of cyberattacks and the importance of vigilance when using third-party browser extensions. Users and businesses are advised to regularly update their extensions and stay informed about potential vulnerabilities.
