Data loss prevention startup Cyberhaven has announced that hackers have released a malicious update to its Chrome extension that can steal user passwords and session tokens. According to an email sent to potential victims of the supply chain attack,
Cyberhaven confirmed the cyberattack to TechCrunch on Friday, but declined to comment on details about the incident.
e-mails sent by the company to customers; Received and published. Security researcher Matt Johansen said hackers compromised a company account to release a malicious update to its Chrome extension in the early morning hours of Dec. 25. The email warned customers running a malicious browser extension that “may contain sensitive information; including authenticated sessions and cookies; to export to the attacker's domain.”
Cyberhaven spokesman Cameron Coles declined to comment on the email but did not dispute its authenticity.
In a brief emailed statement, Cyberhaven said its security team discovered the compromise on the afternoon of Dec. 25 and removed the malicious extension (version 24.10.4) from the Chrome Web Store. A new official version of the extension (24.10.5) has been released soon.
Cyberhaven offers products it says protects against other cyberattacks, including browser extensions that allow the company to monitor potentially malicious activity on websites. Featured in the Chrome Web Store. Cyberhaven expansion There are about 400,000 corporate users at the time of writing.
When asked by TechCrunch, Cyberhaven declined to say how many customers it had been notified of. The California-based company is part of tech giant Motorola; It lists Reddit and Snowflake as clients, as well as law firms and large health insurance companies.
According to an email Cyberhaven sent to its customers; Affected users should “revert all passwords” and revoke other text-based credentials such as API tokens. Cyberhaven says users should review their own logs for malicious activity. (Session tokens and cookies for logged-in accounts stolen from the user's browser effectively allow hackers to bypass these security measures without requiring their password or two-factor code.)
The email did not specify whether users should change credentials for other accounts stored in the Chrome browser, but a Cyberhaven spokesperson denied this when asked by TechCrunch.
According to the email, the compromised company account was an “administrator account for the Google Chrome Store.” How Cyberhaven Compromised Company Accounts; or failing to mention that corporate security policies are in place that allow the account to be compromised. The company said in its brief statement that “we have initiated a comprehensive review of our security practices and will implement additional safeguards based on our findings.”
Cyberhaven said it has hired an incident response company, which it says is Mandiant, which emailed customers and is “actively cooperating with federal law enforcement.”
said Jaime Blasco, co-founder and CTO of Nudge Security. In X's posts Several other Chrome extensions, including many with thousands of users, were apparently compromised as part of the same campaign.
Blasco said the attacks are still being investigated, and AI, Some AI related to productivity and VPN. He told TechCrunch that he believed there were more compromised extensions earlier this year, including productivity and VPNs.
“It doesn't appear to be targeting Cyberhaven, but it does target extension developers with a good chance,” Blasco said. “I think they go after the extensions they can do based on the evidence of the developers.”
In its statement to TechCrunch, Cyberhaven said, “Public reports suggest this attack was part of a broader campaign to target Chrome extension developers at multiple companies.” At this time, it is unclear who is responsible for this campaign, and other companies and their extensions have not been confirmed.