Hackers Hijacked 16 Chrome Extensions to Inject Malicious Code

In a sophisticated cyberattack campaign that began in mid-December, hackers have compromised at least 16 Chrome browser extensions, exposing over 600,000 users to potential data theft.

The breach, which came to light through a series of reports and statements from affected companies, has raised significant concerns about the security of browser extensions.

Cyberhaven, a California-based data protection company, was among the first to confirm the breach. The company disclosed that on Christmas Eve, a phishing attack compromised an employee’s credentials, allowing hackers to publish a malicious version of their Chrome extension (version 24.10.4).

Possible Chrome Extensions Affected

This version contained code designed to steal sensitive information, including passwords and session tokens, particularly targeting social media advertising and AI platforms.

The attack was not isolated to Cyberhaven. Cybersecurity experts, including Jaime Blasco from Nudge Security, have identified several other similarly compromised extensions.

These include extensions related to VPNs, AI, productivity, and even video downloaders, suggesting a broad, opportunistic approach by hackers to collect as much sensitive data as possible.

Here is a table listing the Chrome extensions that were possibly affected by the recent cyberattack:

Extension NameCategory
AI Assistant – ChatGPT and GeminiAI
Bard AI Chat ExtensionAI
GPT 4 Summary with OpenAIAI
Search Copilot AI Assistant for ChromeAI
TinaMInd AI AssistantAI
Wayin AIAI
VPNCityVPN
Internxt VPNVPN
Vindoz Flex Video RecorderProductivity
VidHelper Video DownloaderProductivity
Bookmark Favicon ChangerProductivity
CastorusProductivity
UvoiceProductivity
Reader ModeProductivity
Parrot TalksProductivity
PrimusProductivity

This table includes extensions related to AI, VPNs, and productivity tools, which were identified as potentially compromised in the attack campaign.

The malicious code was active for approximately 25 hours, from December 24 to December 26, 2024, affecting only those Chrome installations that automatically updated during this period.

Cyberhaven’s internal security team detected the intrusion on Christmas Day and promptly removed the malicious extension from the Chrome Web Store, replacing it with a secure version (24.10.5).

Cyberhaven has taken several steps in response to the breach:

  • Notified affected customers on December 26.
  • Engaged an external incident response firm, Mandiant, for forensic analysis.
  • Implemented additional security measures to prevent future incidents.
  • Advised customers to update their extensions, rotate passwords, and review logs for suspicious activity.

“We have yet to see any other websites targeted, which makes us believe that this attack was a generic, non-targeted attack aimed at facebook.com advertising users,” Cyberhaven said.

Malicious Code Injected
Malicious Code Injected

The geographical scope of the attack remains unclear, but the implications are global, given the widespread use of Chrome extensions.

Browser extensions, often seen as harmless tools for enhancing web browsing experiences, have become a soft target for cybercriminals due to the extensive permissions they are granted, which can include access to cookies, identity information, and more.

This incident underscores the vulnerability of browser extensions and the need for heightened security measures. The ongoing investigation aims to uncover the full extent of the breach and identify the perpetrators behind this widespread campaign.

As the digital landscape continues to evolve, this attack serves as a stark reminder for both developers and users to remain vigilant about the security of browser extensions, ensuring they are updated regularly and sourced from reputable providers.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Guru Baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.