Cybersecurity experts have uncovered a widespread campaign targeting Chrome browser extensions across multiple companies, with data loss prevention startup Cyberhaven emerging as a prominent victim. The attack, which began on Christmas Eve, involved hackers compromising administrative accounts to distribute malicious updates designed to steal sensitive user information123. Cyberhaven's extension, which boasts over 400,000 users, was specifically targeted through a sophisticated phishing attack that gained access to the Chrome Web Store administrative account.

The malicious update, version 24.10.4, contained code capable of exfiltrating critical user data, including authenticated sessions, cookies, and potentially passwords. The compromised extension was active for approximately 25 hours, with Cyberhaven detecting and removing the malicious package within 60 minutes of discovery. The company's customer base, which includes major organizations like Snowflake, Motorola, Canon, and Reddit, was immediately notified of the potential security breach2. Cyberhaven has since replaced the compromised extension with a safe version (24.10.5) and hired Google's Mandiant cybersecurity unit to investigate the incident.

Cybersecurity experts suggest this is part of a coordinated attack targeting multiple Chrome extensions across various categories, including virtual private networking, productivity, and artificial intelligence tools. Jaime Blasco, CTO of Nudge Security Inc., highlighted that several other extensions were similarly compromised, with some having tens of thousands of users. The attack methodology appears consistent with previous extension hijacking incidents, typically involving phishing emails that trick developers into surrendering their Google Account credentials. This approach has been a recurring threat in the Chrome extension ecosystem, with similar attacks documented in previous years.

The implications of such attacks are significant, as compromised browser extensions can potentially access sensitive user information and manipulate browser functionality. Cyberhaven has advised affected customers to replace passwords, scan cybersecurity logs for malicious activity, and remain vigilant. The company is also reviewing its cybersecurity practices and planning to implement additional safeguards to prevent future incidents. Federal law enforcement has been notified, and the geographical extent of the attacks remains under investigation. This incident underscores the critical importance of robust security measures for browser extension developers and the ongoing challenges in protecting users from sophisticated cyber threats.