Executive Summary
Cyberhaven has announced that their Cyberhaven Chrome extension was compromised on December 25, 2024, after a phishing attack on an administrator account allowed attackers to upload a malicious update (v24.10.4) to the Chrome Web Store. The compromised extension exfiltrated cookies, session tokens, and sensitive user data to an attacker-controlled domain, potentially enabling account takeovers. Cyberhaven’s security team detected and removed the malicious update within 60 minutes of discovery, and a verified clean version (v24.10.5) was subsequently released. This incident is part of a broader campaign affecting multiple Chrome extensions, highlighting significant risks in software supply chains.
Community Impact
The compromise of the Cyberhaven extension poses significant risks to the retail and hospitality sectors, as many organizations rely on browser extensions to manage and secure online operations and data security. Malicious extensions could allow attackers to exfiltrate sensitive customer information, including payment details and personal data, leading to data breaches and compliance violations. These industries also face operational risks if compromised extensions enable attackers to disrupt workflows or hijack employee accounts. Given the scale of the compromise, RH-ISAC Core Members should reevaluate the security of third-party extensions to avoid potential financial losses and reputational damage. Organizations are also advised to implement version pinning to prevent unauthorized updates and ingest the indicators of compromise (IOCs), included below.
Technical Analysis
The Cyberhaven compromise began with a phishing attack targeting an administrator, granting the attacker access to upload a malicious update (v24.10.4) to the Chrome Web Store. The malicious extension injected content scripts that exfiltrated cookies, session tokens, and user credentials to an attacker-controlled domain, leveraging permissions typically used for data loss prevention. The attack primarily targeted logins to social media advertising and AI platforms.
Once the malicious update was released, it automatically propagated to approximately 400,000 users, exploiting the auto-update mechanism of Chrome extensions. The attacker used configuration files to dynamically adjust targets, demonstrating sophisticated command-and-control capabilities. Cyberhaven’s detection and removal of the compromised version limited the attack’s duration, but the incident exposed broader vulnerabilities in the browser extension ecosystem.
The compromise is part of a larger campaign affecting at least 16 Chrome extensions, with over a million estimated infections. The use of phishing to compromise developers and the subsequent propagation of malicious code through trusted updates exemplifies the risks inherent in software supply chains.
List of Affected Compromised Extensions
Secure Annex has provided a list of confirmed compromise extensions, with affectedversion, number of users, last update and exploitation status below.
VPNCity
2.0.1
10,000 users
Updated December 12, 2024
Confirmed
Parrot Talks
1.16.2
40,000 users
Updated December 25, 2024
Confirmed
Uvoice
1.0.12
40,000 users
Updated December 26, 2024
Confirmed
Internxt VPN – Free, Encrypted & Unlimited VPN
1.1.1
10,000 users
Updated December 25, 2024
Confirmed and patched at 1.2.0 December 29, 2024
Bookmark Favicon Changer
4.00
40,000 users
Updated December 25, 2024
Confirmed
Castorus
4.40
50,000 users
Updated December 26, 2024
Confirmed & patched at 4.4.1 December 27, 2024
Wayin AI
0.0.11
40,000 users
Updated December 19, 2024
Confirmed
Search Copilot AI Assistant for Chrome
1.0.1
20,000 users
Updated July 17, 2024
Confirmed
VidHelper – Video Downloader
2.2.7
20,000 users
Updated December 26, 2024
AI Assistant – ChatGPT and Gemini for Chrome
0.1.3
4,000 users
Updated May 31, 2024
Confirmed & removed from the Chrome web store October 25th, 2024
Vidnoz Flex – Video recorder & Video share
1.0.161
6,000 users
Updated December 25, 2024
Confirmed & removed from the Chrome web store December 29th, 2024
TinaMind – The GPT-4o-powered AI Assistant!
2.13.0
40,000 users
Updated December 15, 2024
Confirmed & patched at 2.13.1 December 20th, 2024, now 2.14.0 December 21st, 2024
Bard AI chat
1.3.7
100,000 users
Updated September 5, 2024
Confirmed & removed from the Chrome web store October 22, 2024
Reader Mode
1.5.7
300,000 users
Updated December 18, 2024
Confirmed & patched at 1.5.8 December 18th, 2024, removed from the Chrome web store December 19th, 2024
Primus (prev. PADO)
3.18.0
40,000 users
Updated December 18, 2024
Confirmed & patched at 3.20.0 December 25th, 2024
Tackker – online keylogger tool
1.3
10,000 users
Updated December 25, 2024
Confirmed. Version 1.3 released October 6, 2023, patched at 1.4 August 13, 2024
AI Shop Buddy
2.7.3
4,000 users
Updated April 30, 2024
Confirmed. Two versions of compromised code present. Updated version 2.7.5 still contains both versions of compromised code.
Sort by Oldest
1.4.5
2,000 users
Updated January 11, 2024
Confirmed
Rewards Search Automator
1.4.9
100,000 users
Updated May 4, 2024
Confirmed, both two versions of compromised code present. Version 1.5.0 published August 26, 2024 only removed one version of compromised code.
Earny – Up to 20% Cash Back
1.8.1
10,000 users
Updated April 5, 2023
Confirmed.
ChatGPT Assistant – Smart Search
1.1.1
189 users
Updated February 12, 2024
Confirmed
Keyboard History Recorder
2.3
5,000 users
Updated July 29, 2024
Confirmed
Email Hunter
1.4.4
100,000 users
Updated September 17, 2024
Confirmed, likely region blocking the United States
Visual Effects for Google Meet
3.1.3
900,000 users
Updated June 13, 2023
Confirmed. Version 3.1.3 released June 13, 2023. Patched at version 3.2.4 released January 10, 2024
GPT 4 Summary with OpenAI
1.4
10,000 users
Updated May 31, 2024
Confirmed & removed from the Chrome web store September 29th, 2024
GraphQL Network Inspector
2.22.6
80,000 users
Updated December 29, 2024
Confirmed & patched at 2.22.7 December 30, 2024
YesCaptcha assistant
1.1.61
200,000 users
Updated December 29, 2024
Confirmed
Proxy SwitchyOmega (V3)
3.0.2
10,000 users
Updated December 30, 2024
Confirmed
Indicators of Compromise
Secured Annex has also provided related IOCs for confirmed compromised extensions, which are included below for RH-ISAC Core Member awareness and ingestion:
parrottalks[.]info
ext[.]linewizeconnect[.]com
readermodeext[.]info
bookmarkfc[.]info
censortracker[.]pro
yujaverity[.]info
wayinai[.]live
vpncity[.]live
cyberhavenext[.]pro
primusext[.]pro
internxtvpn[.]pro
uvoice[.]live
policyextension[.]info
castorus[.]info
api[.]searchcopilot[.]co
wakelet[.]ink
tinamind[.]info
iobit[.]pro
graphqlnetwork[.]pro
urban-vpn[.]com
yescaptcha[.]pro
proxyswitchyomega[.]pro hxxp://id[.]tnagofsg[.]com
hxxps://id[.]tnagofsg[.]com
hxxps://api.tnagofsg.com/rest/v2
hxxps://api.tnagofsg.com/rest/v1
148[.]72[.]132[.]43
148[.]72[.]132[.]6
209[.]126[.]103[.]61
cr[.]sclpfybn[.]com
sclpfybn[.]com
tnagofsg[.]com
www[.]sclpfybn[.]com
148[.]72[.]164[.]10
148[.]72[.]164[.]11
148[.]72[.]173[.]24
148[.]72[.]173[.]25
148[.]72[.]173[.]26
hxxps://id.sclpfybn[.]com
hxxps://cs.sclpfybn[.]com/api/rest/v2
hxxps://cs.sclpfybn[.]com/secure/urls/checkSafety/basic
hxxps://cs.sclpfybn[.]com/secure/urls/checkSafety
hxxps://id.sclpfybn[.]com/api/privacy/data/rules/exclusions
hxxps://id.sclpfybn[.]com
