A targeted phishing attack on Cyberhaven, a cybersecurity startup, compromised its Chrome browser extension, the company disclosed on Thursday.
The breach impacted machines running Chrome-based browsers with a malicious extension (version 24.10.4) downloaded between 1:32 a.m. UTC on December 25 and 2:50 a.m. UTC on December 26.
Cyberhaven CEO Howard Ting said, “We removed the malicious package within 60 minutes of detection,” adding that the attack aimed to steal Facebook Ads access tokens.
The breach originated from a phishing email targeting a developer who inadvertently authorized a malicious Google OAUTH application.
This allowed attackers to replace the legitimate extension with a modified, malicious version.
Cyberhaven has engaged Mandiant to investigate and is cooperating with federal authorities.
Cybersecurity researcher Jaime Blasco linked the attack to a broader campaign affecting multiple Chrome extensions, including VPNCity and Internxt VPN.
The compromised extension has been patched in version 24.10.5.
