Cyber Firm Chrome Extension Hijacked

Cyberhaven Chrome Extension Compromised in Supply-Chain Attack

Cyberhaven, a data-loss prevention company, has revealed that a malicious update was published to its Chrome extension. This update potentially exposed customer passwords and session tokens, as detailed in a communication sent to those potentially impacted by this suspected supply-chain attack.

Incident Confirmation and Details

The cyberattack was confirmed by Cyberhaven to TechCrunch on Friday, though specific details surrounding the incident were not disclosed. A customer email, obtained by security researcher Matt Johansen, indicates that a company account was breached on December 25th, allowing attackers to publish the compromised update.

For users operating the affected browser extension, the possibility exists that sensitive data, including authenticated sessions and cookies, was transferred to the attacker’s servers. Cyberhaven spokesperson Cameron Coles acknowledged the email’s existence without disputing its validity.

Response and Remediation

The company’s security team reportedly identified the compromise on December 25th. The malicious extension, version 24.10.4, was subsequently removed from the Chrome Web Store. A legitimate replacement version, 24.10.5, was promptly released.

Cyberhaven’s products are designed to safeguard against data exfiltration and various cyber threats, including through browser extensions that monitor website activity for potentially harmful actions. Currently, the Cyberhaven extension boasts approximately 400,000 users within corporate environments.

Affected Users and Credentials

Cyberhaven has not publicly stated the number of customers notified about the breach. Among its clientele are prominent technology companies such as Motorola, Reddit, and Snowflake, alongside legal firms and major health insurance providers.

Customers were advised in the email to “revoke” and “rotate” all passwords and other text-based credentials, including API tokens. A review of system logs for any suspicious activity was also recommended. Stolen session tokens and cookies can enable unauthorized access to accounts, bypassing standard security measures like passwords and two-factor authentication.

Scope of the Compromise

The email did not provide guidance on whether users should also update credentials for other accounts stored within the Chrome browser. Cyberhaven’s spokesperson refrained from commenting on this matter when questioned by TechCrunch.

The compromised account was identified as the “single admin account for the Google Chrome Store.” The company has not yet explained how the account was breached or what security protocols were in place that allowed the compromise to occur. Cyberhaven stated it is conducting a thorough review of its security practices and will implement enhanced safeguards based on its findings.

Investigation and Cooperation

Cyberhaven has engaged the services of an incident response firm, identified as Mandiant in the customer email, and is actively collaborating with federal law enforcement agencies.

Wider Campaign

Jaime Blasco, co-founder and CTO of Nudge Security, reported on X (formerly Twitter) that multiple other Chrome extensions were compromised as part of the same campaign, impacting extensions with substantial user bases.

Blasco is continuing to investigate the attacks and believes that additional extensions were compromised earlier in the year, including those related to AI, productivity, and VPNs. He suggests the attacks were opportunistic, targeting developers based on compromised credentials.

Cyberhaven acknowledged in its statement to TechCrunch that reports indicate this attack was part of a broader effort to target Chrome extension developers across numerous companies. The responsible party for this campaign remains unknown, and further affected companies and extensions are yet to be confirmed.