On Christmas Day, hackers breached the administrator account of the Swiss company Cyberhaven and disseminated a malicious update for its Chrome browser extension. The company’s experts identified and removed the malicious code from the Chrome Web Store within an hour of its detection.
However, browsers with the compromised extension remained vulnerable for more than a day. During this time, attackers could have stolen sensitive user data, including session credentials and cookies.
Cyberhaven representatives disclosed that one of their employees had fallen victim to an “advanced attack.” Independent researchers suspect the administrative account was compromised via a phishing email.
Cyberhaven specializes in assisting organizations in mitigating insider threats. Its browser extension serves as a key tool for monitoring and preventing data leaks during interactions with email, AI tools, and web applications.
The exact number of victims and the primary motive behind the attack remain unclear. The investigation is ongoing with support from Mandiant, a Google-owned cybersecurity firm, and federal law enforcement agencies.
Cyberhaven experts recommend that clients update the extension, change passwords and tokens, clear active sessions, and scrutinize logs for suspicious activity. They advise against uninstalling the extension to preserve malicious code artifacts for analysis.
In June 2024, Cyberhaven secured $88 million in funding during a round led by the American investment firm Adams Street Partners, valuing the company at $488 million. Its major clients include Canon, Reddit, and Motorola.
The attack exclusively affected devices running Chrome-based browsers updated via the Google Chrome Web Store. Security analysts note that other extensions could have been compromised using similar tactics. Researchers have identified more than a dozen suspicious domains linked to the attackers’ infrastructure.
According to cybersecurity expert Matt Johansen, this incident highlights how trusted security tools can be weaponized against users. The attack was strategically timed during the holiday season when security teams typically operate with reduced staff.
Johansen emphasizes that browser extensions should not be underestimated, as they have deep access to sensitive data, including authenticated sessions and confidential information. The automatic update feature for extensions allows attackers to rapidly distribute malicious code to all users once the distribution channel is compromised.
