Hackers Exploit Chrome Extensions to Steal Sensitive Data

A phishing attack compromised multiple browser extensions, including one from Cyberhaven, exposing user credentials and session tokens.

Hackers injected malicious code into several Chrome extensions, including Cyberhaven's data-loss prevention tool, targeting user credentials and session tokens.
Cyberhaven identified the breach on December 25, quickly removing the compromised extension and releasing a clean version within hours.
The attack originated from a phishing incident that allowed hackers to access a Google Chrome Store admin account, enabling them to publish a malicious update.
Experts believe this was part of a broader campaign affecting other extensions, including VPNCity, Internxt VPN, Uvoice, and ParrotTalks, rather than a targeted attack on Cyberhaven.
Cyberhaven has engaged Mandiant and federal law enforcement to investigate, while advising affected users to reset passwords, rotate API tokens, and review logs for suspicious activity.