Full Report
A new attack campaign has targeted known Chrome browser extensions, leading to at least 16 extensions being compromised and exposing over 600,000 users to data exposure and credential theft. The attack targeted publishers of browser extensions on the Chrome Web Store via a phishing campaign and used their access permissions to insert malicious code into legitimate extensions in order to steal
Analysis Summary
# Incident Report: Widespread Compromise of Chrome Extensions for Data Theft
## Executive Summary
A coordinated attack campaign successfully compromised at least 16 legitimate extensions on the Chrome Web Store, impacting over 600,000 users. Attackers utilized phishing against extension publishers to gain access, injecting malicious code that allowed for the theft of user cookies and access tokens. The incident came to light following the disclosure by cybersecurity firm Cyberhaven, revealing a widespread effort targeting extensions with high user permissions.
## Incident Details
- **Discovery Date:** December 27, 2025 (Following Cyberhaven' disclosure)
- **Incident Date:** Attack campaign likely began before December 27, 2025.
- **Affected Organization:** At least 16 Chrome Extension publishers, impacting over 600,000 users. Cyberhaven was the first publicly disclosed victim.
- **Sector:** Technology (Software/Browser Extensions)
- **Geography:** Global (Users of exposed Chrome Extensions)
## Timeline of Events
### Initial Access
- **Date/Time:** Not precisely specified, but activity was confirmed by December 27, 2025.
- **Vector:** Phishing campaign targeting the publishers/developers of the Chrome extensions.
- **Details:** Attackers exploited compromised credentials/access permissions of extension developers to inject malicious code into their legitimate applications on the Chrome Web Store.
### Lateral Movement
- Not applicable in a traditional sense, as the attack leveraged the permissions granted to the extension itself. Movement occurred post-installation via the authorized interface granted by the extension.
### Data Exfiltration/Impact
- **Details:** Malicious code communicated with an external Command and Control (C&C) server (e.g., `cyberhavenext[.]pro`). The primary impact was the theft of user cookies and access tokens.
### Detection & Response
- **How it was discovered:** Cyberhaven disclosed the compromise of their own browser extension on December 27th.
- **Response actions taken:** Other security researchers began identifying other compromised extensions communicating with the same C&C infrastructure, leading to a wider recognition of the campaign.
## Attack Methodology
- **Initial Access:** Phishing against extension developers to gain administrative control over the extension publishing pipeline.
- **Persistence:** Malicious code was persistently injected into the legitimate, published versions of the extensions.
- **Privilege Escalation:** Not explicitly detailed, but attackers effectively leveraged the extensive permissions already granted to the target browser extensions.
- **Defense Evasion:** Attackers utilized legitimate, trusted Chrome Web Store extensions as the delivery mechanism.
- **Credential Access:** Directly targeted and stole user cookies and access tokens via malicious code injection.
- **Discovery:** Not detailed, but typical reconnaissance would occur post-injection to ascertain the host environment.
- **Lateral Movement:** N/A (Movement occurred through the extension's granted runtime permissions).
- **Collection:** Cookies and user access tokens.
- **Exfiltration:** Data was sent to remote C&C servers (e.g., `cyberhavenext[.]pro`).
- **Impact:** Data theft, exposure of user sessions/credentials.
## Impact Assessment
- **Financial:** Not estimated in the context, but involves cleanup costs and potential losses due to compromised accounts.
- **Data Breach:** User cookies and access tokens (sensitive session data). Over 600,000 users potentially exposed.
- **Operational:** Disruption to users using the affected extensions. For organizations like Cyberhaven, data integrity and security posture were impacted.
- **Reputational:** Significant negative impact on the trust associated with the Chrome Web Store and the software publishers.
## Indicators of Compromise
- **Network indicators (Defanged):** C&C domain observed: `cyberhavenext[.]pro` (and others resolved to the same IP).
- **File indicators:** Malicious code injected into the extension packages.
- **Behavioral indicators:** Extensions communicating outbound to known C&C infrastructure to download configuration files and exfiltrate user tokens/cookies.
## Response Actions
- **Containment measures:** Identifying and listing all known compromised extensions communicating with the C&C infrastructure (e.g., AI Assistant, VPNCity, Internxt VPN, etc.). (Implied action: Removal from the Web Store by affected parties or Google).
- **Eradication steps:** Developers of the extensions needed to create and publish clean versions, and users needed to remove the malicious versions.
- **Recovery actions:** Users likely required to reset passwords and revoke sessions linked to compromised access tokens.
## Lessons Learned
- **Key takeaways:** Browser extensions remain a significant "soft underbelly" of web security due to often overly broad permissions granted to them.
- **What could have been done better:** Extension publishers must enhance their security protocols to prevent developer account compromise (e.g., strong MFA). Organizations often lack visibility into the extensions installed across their endpoints.
## Recommendations
- Implement rigorous verification and security practices (MFA) for developer accounts managing software distribution (Chrome Web Store).
- Organizations should maintain an active inventory and monitoring solution for all installed browser extensions on corporate endpoints, assessing their permissions regularly.
- Users should minimize the use of extensions, especially those requesting extensive permissions (cookies, site access), and only install extensions from highly reputable sources.