Data-loss prevention startup Cyberhaven says hackers published a malicious update to its Chrome extension that was capable of stealing customer passwords and session tokens, according to an email sent to affected customers, who may have been victims of this suspected supply-chain attack.
Cyberhaven confirmed the cyberattack to TechCrunch on Friday but declined to comment on specifics about the incident.
An email from the company sent to customers, obtained and published by security researcher Matt Johansen, said the hackers compromised a company account to publish a malicious update to its Chrome extension in the early morning of December 25. The email said that for customers running the compromised browser extension, “it is possible for sensitive information, including authenticated sessions and cookies, to be exfiltrated to the attacker’s domain.”
Cyberhaven spokesperson Cameron Coles declined to comment on the email but did not dispute its authenticity.
In a brief emailed statement, Cyberhaven said its security team detected the compromise in the afternoon of December 25 and that the malicious extension (version 24.10.4) was then removed from the Chrome Web Store. A new legitimate version of the extension (24.10.5) was released soon after.
Cyberhaven offers products that it says protect against data exfiltration and other cyberattacks, including browser extensions, which allow the company to monitor for potentially malicious activity on websites. The Chrome Web Store shows the Cyberhaven extension has around 400,000 corporate customer users at the time of writing.
When asked by TechCrunch, Cyberhaven declined to say how many affected customers it had notified about the breach. The California-based company lists technology giants Motorola, Reddit, and Snowflake as customers, as well as law firms and health insurance giants.
According to the email that Cyberhaven sent to its customers, affected users should “revoke” and “rotate all passwords” and other text-based credentials, such as API tokens. Cyberhaven said customers should also review their own logs for malicious activity. (Session tokens and cookies for logged-in accounts that are stolen from the user’s browser can be used to log in to that account without needing their password or two-factor code, effectively allowing hackers to bypass those security measures.)
The email does not specify whether customers should also change any credentials for other accounts stored in the Chrome browser, and Cyberhaven’s spokesperson declined to specify when asked by TechCrunch.
According to the email, the compromised company account was the “single admin account for the Google Chrome Store.” Cyberhaven did not say how the company account was compromised, or what corporate security policies were in place that allowed the account compromise. The company said in its brief statement that it has “initiated a comprehensive review of our security practices and will be implementing additional safeguards based on our findings.”
Cyberhaven said it’s hired an incident response firm, which the email to customers says is Mandiant, and is “actively cooperating with federal law enforcement.”
Jaime Blasco, the co-founder and CTO of Nudge Security, said in posts on X that several other Chrome extensions were compromised as apparently part of the same campaign, including several extensions with tens of thousands of users.
Blasco told TechCrunch that he is still investigating the attacks and believes at this point that there were more extensions compromised earlier this year, including some related to AI, productivity, and VPNs.
“It seems it wasn’t targeted against Cyberhaven, but rather opportunistically targeting extension developers,” said Blasco. “I think they went after the extensions that they could based on the developers’ credentials that they had.”
In its statement to TechCrunch, Cyberhaven said that “public reports suggest this attack was part of a wider campaign to target Chrome extension developers across a wide range of companies.” At this point it’s unclear who is responsible for this campaign, and other affected companies and their extensions have yet to be confirmed.
