Dozens of Google Chrome extensions have been compromised in a massive campaign, according to several cybersecurity vendors.
It was on December 27, 2024 that the publisher of data security solutions Cyberhaven made public an attack on the software supply chain: hackers published a malicious version of its Chrome extension, version 24.10.4. The attack began with a phishing operation that compromised an employee’s access to the Chrome Web Store.
The phishing email claimed to be from Google and warned that Cyberhaven was at risk of being removed from the Chrome Web Store; it contained a link to a malicious Google OAuth application called Privacy Policy Extension, which used Google’s authorization flow. The employee’s Google account was not compromised – the account was protected by multi-factor authentication (MFA) and Google Advanced Protection – but the attacker gained access to his credentials for the Chrome Web Store.
Once access was gained, the attacker copied Cyberhaven’s official Chrome extension and published a malicious version on the Chrome Web Store. According to a Cyberhaven blog post, this malicious extension included additional files to contact the attacker’s command and control (C&C) server before collecting user data for exfiltration to an external website. The blog post claims that, based on an analysis of compromised machines, “the primary motive for the attack was to target Facebook Ads accounts.”
“In our analysis of the numerous compromised endpoints across our customer base, the target website received from the C&C server was domains linked to ‘*.facebook.com’. We have not yet seen any other targeted websites, which makes us believe this is a generic, non-targeted attack targeting users of facebook.com’s advertising services. on the blog.
According to a December 27 blog post by Howard Ting, CEO of Cyberhaven, “our security team detected this compromise at 11:54 p.m. UTC on December 25 and removed the malicious packet within 60 minutes.” As part of the company’s response to the hack, Cyberhaven released an open source tool to detect whether a malicious extension has exfiltrated data. Cyberhaven first informed users that its extension had been compromised on December 26.
Cyberhaven also concluded that access to Facebook accounts was a primary goal, as the malicious code’s path worked to obtain Facebook access tokens and account information. Additionally, the blog post notes that the new malicious extension added a listener of mouse clicks for the Facebook website.
But malicious activity has spread beyond Cyberhaven. “While analysis of the attack is still ongoing, we now understand that it was part of a broader campaign targeting Chrome extension developers,” Cyberhaven says in its blog post: “public reports “Security researchers have suggested that Chrome extensions from several different companies were compromised and our initial analysis indicates that this is an untargeted attack.”
Among the security researchers is Jaime Blasco, co-founder and CTO of security solutions publisher Nudge Security, who published on X on December 26 that he had “reason to believe that other extensions are affected”: “Based on the IP address, there are other domains created in the same time period that resolve to the same IP address as cyberhavenext[.]pro,” he noted.
Cybersecurity solutions provider Extension Total says in a report that 36 malicious extensions have been detected so far, along with a list of potentially affected applications. A large portion of the applications on the list involve generative AI and Web3 technology.
But this could all be part of a much larger and older campaign. Secure Annex, another extension security provider, has observed similar activity in other Chrome extensions. John Tuckner, founder of Secure Annex, said in a Dec. 26 blog post that he “found some of the same code used in other extensions dating back to May 2024” and that a compromised extension, a keylogger, has was published on October 6, 2023.
Extension Total and Secure Annex have observed that many malicious extensions have been removed and replaced with new legitimate versions. However, according to the two companies, some malicious extensions have not yet been subject to corrective measures.
