Article Source: Security Risk Advisors
Author: TIGR Threat Watch
A phishing campaign targeting Chrome extension developers has resulted in the compromise of at least 16 Chrome extensions with a combined user base exceeding 600,000. The attack, first identified through Cyberhaven’s compromise on December 24, 2024, used social engineering tactics to gain OAuth access to the Google Chrome Web Store. Attackers sent phishing emails impersonating Google Chrome Web Store Developer Support, claiming policy violations that required immediate action. Upon clicking, developers were redirected to authorize a malicious OAuth application called “Privacy Policy Extension.” The compromised extensions were modified to include malicious code that communicated with command-and-control (C&C) servers, primarily targeting Facebook advertising accounts. Technical analysis of the Cyberhaven incident revealed the attackers injected malicious code into worker.js and content.js files, enabling them to harvest Facebook access tokens, user IDs, account information, and business account details.
Impact: Organizations face multiple risks from this supply chain attack. The compromised extensions gained access to sensitive browser data, including cookies and authenticated sessions, potentially exposing corporate accounts and user credentials. The attack specifically targeted Facebook advertising accounts, putting marketing operations and associated financial resources at risk. The campaign’s duration – potentially active since April 2023 – suggests a sustained, undetected presence in affected systems. Organizations using any of the identified extensions may have inadvertently exposed sensitive data, even after the extensions were removed from the Chrome Web Store, as locally installed versions can continue exfiltrating data.
Recommendation: Organizations should audit their Chrome extensions and remove or disable any identified as compromised. Review and revoke access for unauthorized OAuth applications. Reset passwords and authentication tokens for potentially exposed accounts. Monitor network traffic for connections to identified C&C domains and URLs. For compromised extensions specifically, organizations should verify extension versions and immediately update or remove affected versions, rotate all non-FIDO2 passwords, and conduct thorough security audits of potentially exposed systems. See the following Secure Annex and Extension Total articles for a list of affected Chrome extensions, IOCs, and live updates on the incident.
The post 🚩 Cyberhaven Breach Reveals Chrome Extension Supply Chain Attack Impacting 600,000+ Users appeared first on Security Risk Advisors.