Supply Chain Attack Targets Popular Chrome Extensions

Malicious versions of Cyberhaven and other Chrome extensions have been published on the Google Chrome Web Store as part of a supply chain attack likely targeting Facebook ad users.

An extension from data security company Cyberhaven has been compromised. After an employee fell victim to a phishing attack and gave permission to a malicious OAuth application called ‘Privacy Policy Extension’ to access Cyberhaven’s Chrome Web Store account.

The phishing appeared to originate from the Chrome Web Store, with a message sent to a registered support email, claiming that the extension description contained too many keywords and would be removed from the store.

After clicking on the link in the message, the employee was directed through the standard Google authorisation process and unintentionally granted permission to a malicious third-party app to access the developer’s account.

‘The employee had Google Advanced Protection enabled and had MFA (Multi-Factor Authentication) protecting his account. The employee did not receive an MFA request and the employee’s Google credentials were not compromised,’ Cyberhaven explains.

The attackers then used these permissions to publish a malicious version of the extension to the Chrome Web Store, which was available for download for more than 24 hours between 25 December and 26 December 2024.

The malicious version, 24.10.4, was immediately removed from the store after the attack was discovered and replaced with version 24.10.5, which has been cleared. While listed on the Chrome Web Store, the malicious version was distributed to users who had the automatic update feature enabled.

Cyberhaven stated, ‘Our investigation has confirmed that no other Cyberhaven systems, including our CI/CD processes and code signing keys, were compromised.’

The malicious extension appears to target Facebook.com ad users, by collecting and extracting access tokens, user IDs, account information via the Facebook API, business account and ad account information.

‘In addition, the malicious code adds a mouse click listener for Facebook.com, so it can capture all images when users click on related pages. Based on how it processes the captured images, the code is likely looking for QR codes to bypass captchas and or 2FA authorisation requests’, Cyberhaven says.

Cyberhaven has raised more than $136 million and was valued at $488 million when the company raised $88 million in a Series C funding round in June 2024.

In a LinkedIn post, Nudge Security co-founder and CTO Jaime Blasco noted that other Chrome extensions were also compromised, and threat actors created multiple fake domains in a short period of time, all hosted on the same IP address.

At least five other compromised Chrome extensions were identified, namely Internxt VPN, VPNCity, Uvoice, and ParrotTalks.

Source:
https://www.securityweek.com/several-chrome-extensions-compromised-in-supply-chain-attack/
https://www.securityweek.com/how-exceptional-cisos-are-igniting-the-security-fire-in-their-development-team/
https://www.securityweek.com/solana-web3-js-library-backdoored-in-supply-chain-attack/