A cyber attacker has managed to install malicious modifications of legitimate extensions for the Chrome browser in a ‘phishing’ campaign deployed at Christmas, which has affected the security firm Cyberhaven.
Cyberhaven is a cybersecurity company that has developed an extension for Chrome to strengthen the security of users while using this browser, which, however, due to a malicious campaign, has spread an insecure modified version for a few hours.
It is due to the ‘phishing’ campaign that allowed a cyber attacker to activate malicious code in the legitimate extension at Christmas, which has put users of the browser version that had automatic updating activated at risk.
In their case, a phishing attack managed to obtain the access credentials to the Chrome extension store from a Cyberhaven employee, which facilitated the publication of the malicious extension (v24.10.4).
The Cyberhaven security team detected the change and “removed the malicious package in 60 minutes,” it confirmed on its official blog, where it explains the situation. They then notified users, starting with those affected, of the incident, and They published an updated version free of malicious code (v24.10.5).
Cyberhaven has not been the only one affected by the ‘phishing’ campaign, as can be seen from the investigation they have initiated. “Our initial findings show that the attacker targeted logins to specific AI and social media advertising platforms.“, they point out.
Nudge Security co-founder and CTO Jaime Blasco also believes there are more extensions affected, judging by his IP address analysis. “There are more domains created within the same time interval that resolve to the same IP address” than that of the malicious Cyberhaven extension.
In fact, Blasco cites that the ParrotTalks, Uvoice and VPNCity extensions are among those affected, as reported on the social network X (formerly Twitter).