Dozens of Chrome extensions hacked in threat campaign

Dozens of Google Chrome extensions have been hacked in a far-reaching threat campaign, according to multiple cybersecurity vendors.

Data security vendor Cyberhaven publicly disclosed a supply chain attack on Dec. 27 in which attackers published a malicious version of its Chrome extension, version 24.10.4. The attack began with a phishing attack that compromised an employee's access to the Chrome Web Store three days earlier.

The phishing email claimed to be from Google and warned that Cyberhaven was at risk of being removed from the Chrome Web Store; it contained a link to a malicious OAuth Google application called Privacy Policy Extension, which used Google's authorization flow. The employee's Google account was not compromised -- the account had MFA and Google Advanced Protection enabled -- but the attacker gained access to their credentials for the Chrome Web Store.

Once the attacker gained access, they copied Cyberhaven's official Chrome extension and published a malicious version to the Chrome Web Store. This malicious extension, a Cyberhaven blog post said, included additional files to contact the attacker's command and control (C&C) server before collecting user data to exfiltrate to an external website. The blog claimed that based on an analysis of compromised machines, "the primary motive for the attack was to target Facebook Ads accounts."

"In our analysis of many compromised endpoints across our customer base, the target website received from the C&C server was domains related to '*.facebook.com'. We have yet to see any other websites targeted, which makes us believe that this attack was a generic, non-targeted attack, aimed at facebook.com advertising users," the blog read.

According to a Dec. 27 blog post by Cyberhaven CEO Howard Ting, "Our security team detected this compromise at 11:54 PM UTC on December 25 and removed the malicious package within 60 minutes." As part of the company's response to the hack, Cyberhaven released an open source tool to detect when a malicious extension has exfiltrated data. Cyberhaven initially informed users that its extension had been compromised on the 26th.

Cyberhaven further concluded that Facebook account access was a primary goal because the malicious code path made efforts to obtain Facebook access tokens and account information. Moreover, the blog noted that the new malicious extension added a mouse click listener for Facebook's website.

The threat activity extended beyond Cyberhaven. "Although analysis of the attack is still in progress, we now understand this was part of a larger campaign to target Chrome Extension developers," Cyberhaven said in the blog post. "Public reports from security researchers have suggested that Chrome extensions from several different companies were compromised and our initial analysis points to a non-targeted attack."

The security researchers include Jaime Blasco, co-founder and CTO of security vendor Nudge Security, who posted to X on Dec. 26 that he had "reasons to believe there are other extensions affected."

"Pivoting by the ip address there are more domains created within the same time range resolving to the same ip address as cyberhavenext[.]pro," Blasco wrote.

Cybersecurity vendor Extension Total said in a report that 36 malicious extensions have been detected so far, with a list of potentially affected applications. A substantial share of the applications on the list involve generative AI and Web3 technology.

Another extension security vendor, Secure Annex, observed similar activity in other Chrome extensions. John Tuckner, founder of Secure Annex, said in a Dec. 26 blog post that "we have found some of the same code being used in other extensions as far back as May 2024" and that one compromised extension, a keylogger, was published on Oct. 6, 2023.

Both Extension Total and Secure Annex observed that many of the malicious extensions have been removed and replaced with new, legitimate versions. However, some of the malicious extensions have yet to be addressed, according to the two companies.

Informa TechTarget's SearchSecurity contacted Cyberhaven for additional information, but the company declined to comment.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.