At least five Chrome extensions were compromised in a planned cyberattack, where threat actors injected code to steal sensitive user data. Cyberhaven, a data loss prevention company, discovered the breach on December 24 after a phishing attack allowed hackers to access their Google Chrome Store administrator account. The attackers used the access to publish a malicious version (v24.10.4) of Cyberhaven's Chrome extension, designed to steal cookies and authenticated session data.
Cyberhaven responded quickly, removing the malicious version within an hour and releasing a clean update (v24.10.5) on December 26. They advised users to upgrade, rotate API tokens, and review logs for suspicious activity.
Further investigation revealed similar malicious code in four other extensions, including Internxt VPN, VPNCity, Uvoice, and ParrotTalks, affecting tens of thousands of users. Experts recommend removing or upgrading these extensions and resetting browser settings to avoid further risks. If uncertain about an extension's safety, uninstalling it and changing key passwords is strongly advised.
Read more...