Cyberhaven, a data-loss prevention startup, reported that hackers released a malicious update to its Chrome extension, potentially compromising customer passwords and session tokens. This incident, described as a suspected supply-chain attack, was revealed in an email to affected customers and later confirmed by Cyberhaven to TechCrunch. However, the company withheld specific details about the breach.
The compromised update, version 24.10.4 of the Chrome extension, was published after hackers gained access to a company account. According to Cyberhaven’s email, this update could allow attackers to exfiltrate sensitive information like session cookies and authenticated data to their own domain. The breach was detected on the afternoon of December 25, and the malicious extension was promptly removed from the Chrome Web Store. A clean version, 24.10.5, was released shortly thereafter.
Cyberhaven’s browser extension is used by approximately 400,000 corporate customers to safeguard against data exfiltration and malicious activity. The company’s clients include major organizations such as Motorola, Reddit, and Snowflake, among others. Cyberhaven did not disclose how many users were affected.
In its email, Cyberhaven advised affected customers to revoke and reset all passwords, API tokens, and other credentials while reviewing their activity logs for suspicious behavior. However, the email did not explicitly recommend changing credentials for other accounts stored in the Chrome browser.
The compromised account used to publish the malicious update was identified as the “single admin account for the Google Chrome Store.” Cyberhaven has not explained how this account was breached but noted that it has initiated a security review and plans to implement additional protections. The company also engaged Mandiant, a leading incident response firm, and is cooperating with federal law enforcement.
Jaime Blasco, CTO and co-founder of Nudge Security, indicated that the Cyberhaven breach is part of a broader campaign targeting Chrome extension developers. Several other extensions, including those related to AI, productivity, and VPNs, were reportedly compromised earlier this year. Blasco suggested the attacks were not specifically aimed at Cyberhaven but opportunistically exploited developer credentials.
Cyberhaven acknowledged public reports suggesting a wider campaign targeting Chrome extensions across various companies. However, the responsible parties and the full extent of affected extensions remain unclear.
Post a Comment