Attackers compromise accounts of admins, inject malicious code in multiple Chrome extensions

A security breach involving multiple Chrome extensions has exposed the user data of multiple companies. The most prominent extension was that of Cyberhaven - a data loss prevention company serving major clients including Snowflake, Motorola, Canon, Reddit, AmeriHealth, Cooley, IVP, Navan, DBS, Upstart, and Kirkland & Ellis.

The attack began on December 24, 2023, when threat actors executed a phishing attack targeting an administrator account for the Google Chrome store. The attackers used this access to publish a malicious version (24.10.4) of the Cyberhaven extension, incorporating code that could exfiltrate authenticated sessions and cookies to a malicious domain (cyberhavenext[.]pro).

Cyberhaven's security team removed the malicious package within an hour of detection. A clean version (24.10.5) was published on December 26. The company advises several remediation steps for affected users, including upgrading to the latest version, revoking non-FIDOv2 passwords, rotating API tokens, and reviewing browser logs for suspicious activity.

Further investigation by Nudge Security researcher Jaime Blasco revealed that this was part of a broader coordinated attack. The same malicious code snippet was injected into multiple other Chrome extensions around the same time, affecting:

• Internxt VPN (10,000 users) - A free, encrypted VPN extension
• VPNCity (50,000 users) - A privacy-focused VPN service
• Uvoice (40,000 users) - A rewards-based survey service
• ParrotTalks (40,000 users) - A text search and note-taking tool

The total number of potentially affected users across these extensions reaches 140,000, not including Cyberhaven's user base.

Users of any affected extensions should remove the extension or upgrade to versions published after December 26, reset all passwords from, clear browser data and reset all browser settings to clean install defaults.