It was on December 25 at 11:54 p.m. UTC that the Cyberhaven teams spotted the incident: for more than 24 hours, the account used by one of its employees to access the Chrome browser extension store had been compromised by a third party.
In a message sent to its customers, the publisher of data protection solutions indicates that the malicious actor involved used this account to publish, on the Chrome Web Store, a malicious extension, “early in the morning of December 25, 2024 “.
The extension in question appears to have been designed to function as an infostealer: “it is possible that sensitive information, including cookies and authenticated session tokens, was exfiltrated to the attacker’s domain,” explains Cyberhaven, between the December 25 at 1:32 a.m. UTC and the next day at 2:50 a.m. UTC. This is the period during which the domain of the malicious actor – cyberhavenxt[.]pro – has been active. However, other associated domains have since been discovered.
Cyberhaven says it removed the malicious extension within 60 minutes of its detection. But logically, the publisher recommends to all its potentially affected users – those who have used version 24.10.4 of its extension – to change all their non-FIDO2 passwords as well as their API keys, as well as to check the activity logs.
The malicious extension notably relied on JavaScript code injected into web pages after loading CSS style sheets, but before the pages were fully rendered and other JavaScript code executed.
The malicious code sought in particular to identify OpenAI API keys and validate session tokens and cookies before sending them to its developer.
Several extensions for Chrome were affected, including Internxt VPN, VPNCity, Uvoice, and ParrotTalks.
For Matt Johansen, founder of Vulnerable U, this incident is important because it “shows how trusted security tools can be abused against their users, with a strategically timed attack during a holiday period when security teams are usually operating with small teams.
The software supply chain presents prime targets for malicious actors. The threat has been raised for many years but 2024 has once again demonstrated it with, in particular, bounce attacks via the Polyfill.io service, or even the hijacking of GitHub functionalities to distribute malware.
