A ‘phishing’ campaign ends in the injection of malicious code into Chrome extensions at Christmas

December 30 (Portaltic/EP) –

A cyber attacker has managed to install malicious modifications of legitimate extensions for the Chrome browser in a ‘phishing’ campaign deployed at Christmas, which has affected the security firm Cyberhaven.

Cyberhaven is a cybersecurity company that has developed an extension for Chrome to strengthen the security of users while using this browser, which, however, due to a malicious campaign, has spread an insecure modified version for a few hours.

It is due to the ‘phishing’ campaign that allowed a cyber attacker to activate malicious code on the legitimate extension at Christmas, which has put at risk users of the browser version that had automatic updating activated.

In their case, a phishing attack managed to obtain the access credentials to the Chrome extension store from a Cyberhaven employee, which facilitated the publication of the malicious extension (v24.10.4).

Cyberhaven’s security team detected the change and “removed the malicious package within 60 minutes,” confirmed in your official blogwhere he explains the situation. They then notified users, starting with those affected, of the incident, and released an updated version free of malicious code (v24.10.5).

Cyberhaven has not been the only one affected by the ‘phishing’ campaign, as can be seen from the investigation they have initiated. “Our initial findings show that the attacker targeted logins to specific artificial intelligence and social media advertising platforms,” ​​they note.

Nudge Security co-founder and CTO Jaime Blasco also believes there are more extensions affected, judging by his IP address analysis. “There are more domains created within the same time interval that resolve to the same IP address” than that of the malicious Cyberhaven extension.

In fact, Blasco cites that the ParrotTalks, Uvoice and VPNCity extensions are among those affected, as stated in the social network (former Twitter).

Regarding the Cyberhaven chrome extension compromise I have reasons to believe there are other extensions affected. Pivoting by the ip address there are more domains created within the same time range resolving to the same ip address as cyberhavenext[.]pro (cont.)

— Jaime Blasco (@jaimeblascob) December 27, 2024