Hackers hijacked legitimate Chrome extensions to try to steal data

A cyberattack campaign injected malicious code into several Chrome browser extensions until mid-December, Reuters reported yesterday. The code appeared to be designed to steal browser cookies and authentication sessions, targeting “specific social media advertising and AI platforms.” according to a blog post from Cyberhaven, one of the targeted companies.

Cyberhaven blames a phishing email for the attack, writing in a separate technical analysis post that code appeared to specifically target Facebook Ads accounts. According to Reuters, sSecurity researcher Jaime Blasco believes the attack was “just random” and did not specifically target Cyberhaven. He published on X that he had found VPN and AI extensions that contained the same malicious code that was embedded in Cyberhaven.

Cyberhaven says hackers pushed an update (version 24.10.4) of its Cyberhaven data loss prevention extension that contained the malicious code on Christmas Eve at 8:32 PM ET. Cyberhaven says it discovered the code on December 25th at 6:54PM ET and removed it within an hour, but that the code was active until December 25th at 9:50PM ET. The company says it has released a clean version in its 24.10.5 update.

Cyberhaven’s advice for businesses that may be affected includes checking their logs for suspicious activity and revoking or rotating any passwords that don’t use the FIDO2 multifactor authentication standard. Before publishing their posts, the company notified customers via email that TechCrunch reported friday morning