The supply chain attack in which cybersecurity firm Cyberhaven’s Chrome extension was compromised to steal users’ data appears to be part of a wider campaign in which at least 29 extensions were hit over the past year and a half.
As part of the Cyberhaven incident, a threat actor gained access to the company’s Chrome Web Store administrator account and published a new version of the extension that contained malicious code.
Cyberhaven offers a data detection and response platform designed to help organizations track and protect sensitive data and combat insider threats.
The attack was discovered on December 25, one day after it occurred, and the malicious version of the extension was available for download for just more than 24 hours before being pulled and replaced with a clean version.
During that time, the malicious extension iteration was distributed to users who had the automatic update feature enabled, putting them at risk of sensitive information theft.
Cyberhaven discovered that the malicious code would steal Facebook access tokens, user IDs, and account information, while also adding a mouse click listener for Facebook.com.
According to Secure Annex founder John Tuckner, the attack appears to be linked to a long-lasting campaign in which at least 29 Chrome extensions have been compromised, potentially affecting over 2.5 million users.
Digging through indicators-of-compromise (IoCs), Tuckner discovered that three extensions were compromised in 2023: Earny – Up to 20% Cash Back in April, Visual Effects for Google Meet in June, and Tackker – online keylogger tool in October.
Malicious versions of ten other extensions emerged throughout this year, and the number of occurrences spiked in December, when 16 extensions were compromised, including Cyberhaven.
According to data analyzed by Tuckner, malicious versions of roughly a dozen extensions were seen over the past week alone, including three over the past two days: GraphQL Network Inspector, YesCaptcha assistant, and Proxy SwitchyOmega (V3).
Some of the analyzed extensions appear to be targeting sensitive information across websites such as 23andme, American Express, Bank of America, Zoom, and more, Tuckner explains.
To date, five of the identified malicious extensions were removed from the Chrome Web Store, while eight others were replaced with clean versions, Cyberhaven included.
Further investigation from Tuckner and Adblock Plus founder and CTO Wladimir Palant has revealed that the data gathering code in some of the extensions was not the result of a compromise, but was included by the developers themselves, through a monetization SDK.
Cyberhaven has raised more than $136 million and was valued at $488 million when the company raised $88 million via a Series C funding round in June 2024.
Related: Several Chrome Extensions Compromised in Supply Chain Attack
Related: Microsoft OneNote Starts Blocking Dangerous File Extensions
Related: LastPass Automated Warnings Linked to ‘Credential Stuffing’ Attack
Related:Security for a Hybrid Workforce