Summary:
A phishing campaign has compromised at least 35 Chrome extensions, including those from cybersecurity firm Cyberhaven, where actors have injected malicious code into compromised extensions to steal user data. Initial reports focused on Cyberhaven’s extension, but further investigations revealed the same code affected around 2.6 million users across 35 extensions. The campaign appears to have started around December 5, 2024, although command-and-control subdomains identified by researchers date back to March 2024.

The attack initiates with a phishing email targeting Chrome extension developers, falsely claiming that their extension’s description violates Chrome Web Store policies. The email prompts the developer to click a "Go To Policy" button, further directing them to a legitimate login page on Google's domain for a malicious OAuth application.

“The page is part of Google's standard authorization flow, designed for securely granting permissions to third-party apps to access specific Google account resources” (Bleeping Computer, 2025).

The OAuth application, which is named "Privacy Policy Extension," asks the victim to grant permissions to manage Chrome Web Store extensions through their account, in turn allowing the actors to edit, update, or publish Chrome Web Store extensions, themes, apps, and licenses the victim has access to.

Security Officer Comments:
In the attack targeting Cyberhaven, the company stated that its employee had Google Advanced Protection and MFA enabled. Despite these protections in place, the actors gained access to the employee’s account, further modifying Cyberhaven’s extension by injecting two malicious files ('worker.js' and 'content.js') designed to steal Facebook account data (Facebook ID, access token, account info, ad account information, and business accounts).

“Multi-factor authentication didn't help protect the account as direct approvals in OAuth authorization flows aren't required, and the process assumes the user fully understands the scope of permissions they're granting,” notes Bleeping Computer.

A notable aspect of the malicious code identified by Cyberhaven is its inclusion of a click event listener designed to monitor the victim's interactions on Facebook.com. Specifically, it targets QR code images associated with Facebook's two-factor authentication (2FA) or CAPTCHA mechanisms, which can be furthered used to bypass 2FA protections and take control of the victim’s Facebook account.


Suggested Corrections:
Developers should remain cautious of unsolicited emails, avoid clicking links or granting permissions from unfamiliar sources, regularly review and update extensions, ensure multi-factor authentication is enabled for all accounts, and monitor for any suspicious changes to their extension’s source code.

IOCs:
https://www.cyberhaven.com/engineer...ysis-of-the-recent-malicious-chrome-extension

Link(s):
https://www.bleepingcomputer.com/ne...hackers-hijacked-35-google-chrome-extensions/