Hackers attacked companies' Chrome browser extensions on Christmas Eve, bypassing 2FA protections

Hackers have compromised Chrome browser extensions from various companies in a cyberattack campaign that began in mid-December 2024, targeting data protection tools and other extensions related to AI and VPNs.

Among the affected was Cyberhaven, whose Chrome extension was hijacked on Christmas Eve in a broader effort to exploit sensitive user data. The attack, described as opportunistic rather than targeted, involved malicious updates to extensions to exfiltrate credentials.

The data security company says that the phishing attack compromised an employee’s credentials for the Chrome Web Store, leading to the publication of a malicious version (24.10.4) of their Chrome extension. The malicious code targeted credentials for specific platforms but did not compromise other Cyberhaven systems.

The malicious payload enabled data collection, including Facebook access tokens, user IDs, and ad account information, which were sent to a Command and Control (C&C) server. The company has since notified customers and deployed a secure update (24.10.5).

“We invest a tremendous amount of time, effort, training and money to protect against external (and internal) threats and will continue to invest more in the future,” says CEO Howard Ting.

In general, the attacks began in mid-December 2024. Using phishing emails, hackers uploaded a malicious extension version that exfiltrated authentication cookies and user sessions, which primarily target social media and AI platforms.

Jaime Blasco from Nudge Security said that Chrome extensions, including Internxt VPN, VPNCity, Uvoice, and Parrottalks, were also compromised in the campaign, affecting tens of thousands of users.

Microsoft’s 2024 Digital Defense Report has previously revealed a surge in cyber threats, with over 600 million daily attacks targeting its users.