Cyber startup employee hacked to distribute malicious Chrome extension

An unidentified threat actor has compromised an administrative account of a data security startup, using it to distribute a malicious update for its Chrome browser extension.

Swiss-founded security firm Cyberhaven said the hack occurred on Christmas and that the company removed the malicious package from the Chrome Web Store within 60 minutes of detection.

Browsers running the compromised extension were vulnerable to abuse for over 30 hours. According to Cyberhaven, the attackers could potentially exfiltrate victims’ sensitive information, including authenticated sessions and cookies.

In an email to its customers, Cyberhaven stated that one of its employees was targeted in an “advanced attack.” Researchers outside the company suggested that the administrator’s account was likely compromised through a phishing email.

Cyberhaven specializes in helping other organizations stop insider threats. The browser extension is Cyberhaven’s primary tool for monitoring and blocking data exfiltration. It tracks data sent via emails, AI tools and web applications.

It is unclear how many people were impacted by the attack or what the hackers’ primary goal was. Cyberhaven said the investigation is ongoing, with Google-owned cybersecurity firm Mandiant and federal law enforcement assisting.

The company recommends that its customers update the extension, rotate passwords and tokens, clear sessions and review logs for any suspicious activity. However, it advised against removing the extension to preserve artifacts of the malicious code for analysis.

In June, Cyberhaven secured $88 million in investment during a funding round led by the U.S. private equity firm Adams Street Partners, which valued the company at $488 million. Cyberhaven’s website lists major clients such as Canon, Reddit, and Motorola.

The recent attack on Cyberhaven only impacted machines running Chrome-based browsers that were updated via the Google Chrome Web Store. Security analysts noted that additional extensions could have been compromised using similar malicious code. They identified over a dozen suspicious domains linked to the attackers' infrastructure.

https://x.com/jaimeblascob/status/1872445912175534278 

“This breach shows how trusted security tools can be weaponized against users, with the attack strategically timed during the holiday season when security teams are typically operating with reduced staff,” security researcher Matt Johansen wrote in a blog post on Thursday.

Johansen warned that browser extensions shouldn’t be treated lightly, as they have deep access to browser data, including authenticated sessions and sensitive information. Extensions are also easy to update and often not subjected to the same scrutiny as traditional software.

“The extensions’ auto-update feature means that once an attacker compromises an extension's distribution channel, they can potentially push malicious code to all users instantly,” he added.