Targeted supply chain attack against Chrome browser extensions blog.sekoia.io/targeted-…

On 26 December 2024, the data security company Cyberhaven informed its users about a compromise of their Chrome browser extension. The attacker exploited the extension developer’s permissions, which had been previously gained through a targeted phishing attack, to upload a malicious version of Cyberhaven to the Chrome Web Store.

Investigations into the adversary’s infrastructure revealed that during December 2024, the threat actor compromised a dozen Chrome extensions, potentially affecting hundreds of thousands of end users. The malicious code injected into these compromised extensions aimed to harvest sensitive data from users’ web browsers. The targeted data include API keys, session cookies, and other authentication tokens from websites such as ChatGPT and Facebook for Business.

This blog post provides an overview of the supply chain attack, detailing the targeted phishing attacks and the malicious code added to the compromised extensions. Additionally, it shares insights into the adversary’s infrastructure, as well as recommendations for remediation and Indicator of Compromise (IoCs).