Skip to content
Supply chainContained

Leak at Cyberhaven

On 25 Dec 2024, data-security firm Cyberhaven's Chrome extension was hijacked via a phishing attack and pushed a malicious update that exfiltrated cookies and session tokens from roughly 400,000 users over a 24-hour window.

Victim
Cyberhaven

On 25 December 2024, Cyberhaven β€” a US-based data-loss-prevention and insider-threat security vendor β€” disclosed that its official Chrome browser extension had been compromised in a supply-chain attack. An employee was tricked by a phishing email impersonating Google's Chrome Web Store support, which led them to authorize a malicious OAuth application ("Privacy Policy Extension"). This gave the attackers access to the company's developer account, from which they published a trojanized update of the Cyberhaven extension.

The poisoned version (v24.10.4) auto-propagated to roughly 400,000 users and was live from around 01:32 UTC on 25 December to 02:50 UTC on 26 December β€” timing chosen to coincide with the Christmas holiday when security teams were thinly staffed. The malicious code acted as an infostealer, injecting JavaScript into web pages to harvest authenticated sessions, with a particular focus on Facebook and AI-platform credentials.

Exposed / targeted data included:

  • Browser cookies and authenticated session tokens
  • Facebook access tokens, user IDs and account data
  • API keys for platforms such as OpenAI

Investigators later linked the incident to a broader campaign that compromised more than 30 other Chrome extensions, affecting an estimated 2.6 million users in total. Cyberhaven's security team detected and pulled the malicious build within about 60 minutes of discovery, published a verified clean release (v24.10.5), and urged affected users to rotate passwords, revoke and reissue API keys, and review account activity.

Sources

  1. lemagit.frhttps://www.lemagit.fr/actualites/366617606/Chaine-logistique-du-logiciel-Cyberhaven-touche-par-une-cyberattaque
  2. techcrunch.comhttps://techcrunch.com/2024/12/27/cyberhaven-says-it-was-hacked-to-publish-a-malicious-update-to-its-chrome-extension/
  3. securityweek.comhttps://www.securityweek.com/cyberhaven-chrome-extension-hack-linked-to-widening-supply-chain-campaign/
  4. blog.sekoia.iohttps://blog.sekoia.io/targeted-supply-chain-attack-against-chrome-browser-extensions/

Related incidents

Supply chainContained

Leak at Cybertek

On 12 September 2024, French computer-hardware retailer Cybertek disclosed a customer data breach stemming from a compromised shared IT provider, exposing names, email and postal addresses and phone numbers; passwords and payment data were not affected.

Victim
Cybertek