Our team has confirmed a malicious cyberattack that occurred on Christmas Eve, affecting Cyberhaven’s Chrome extension. Public reports suggest this attack was part of a wider campaign to target Chrome extension developers across a wide range of companies. We want to share the full details of the incident and steps we’re taking to protect our customers and mitigate any damage. I’m proud of how quickly our team reacted, with virtually everyone in the company interrupting their holiday plans to serve our customers, and acting with the transparency that is core to our company values.
Last updated January 2, 2025
More resources:
- Cyberhaven’s preliminary analysis of the recent malicious Chrome extension
- Cyberhaven releases open source tools to detect broad-based Chrome extension attack
What Happened
In December 2024, cybersecurity researchers from ExtensionTotal and independent analysts uncovered a breach affecting 35 Chrome extensions, compromising the security of approximately 2.6 million users. The attack stemmed from a sophisticated phishing campaign targeting extension developers.
Among the 35 compromised extensions, some of the most popular included Cyberhaven Security Extension (approximately 400,000 users) and VPNCity (over 50,000 users).
Cyberhaven is a data loss prevention (DLP) tool designed for enterprise environments. The breach was first detected when users noticed unusual behaviour in one of the affected extensions. This behaviour included unauthorised data exfiltration targeting Facebook authentication tokens and cookies, as well as unexpected account activities. These irregularities prompted an investigation by ExtensionTotal, a browser security monitoring platform.
The attackers used fake Google login pages to trick developers into divulging their credentials. Developers received emails falsely claiming their extensions violated Chrome Web Store policies. These messages directed recipients to a counterfeit “Go To Policy” page, which mimicked a legitimate Google login screen. Upon entering their credentials, the attackers gained full access to the developers’ accounts.
Once inside, the attackers uploaded malicious updates to the extensions, turning trusted tools into data-stealing mechanisms. These compromised extensions harvested sensitive user data, including Facebook login credentials and browser cookies. This meant that anyone who installed these extensions risked having their Facebook accounts accessed without their permission. Attackers could potentially take over these accounts to post unauthorised content, send messages, or change account settings, creating significant risks for affected users.
This incident raised concerns about Chrome’s defences, particularly the ability of attackers to bypass certain security protocols, highlighting the need for enhanced safeguards. The attack has serious implications for organizations that rely on extensions to secure their data, monitor user activity, or facilitate secure browsing. As companies increasingly adopt cloud-based tools and integrated work environments, the breach of a critical extension like Cyberhaven exposes corporate networks to substantial risks. A compromised extension may not only affect individual users but could also open broader attack vectors within an organization.
Affected Extensions
Dan Goodin, Senior Security Editor at Ars Technica, compiled a list of the affected extensions. The following table lists 33 extensions that were compromised, affecting millions of users. This list includes both extensions like Cyberhaven, which is critical for enterprise security, and other popular tools used by individual users.
| Name | ID | Version | Patch Available | Users | Start Date | End Date |
| VPNCity | nnpnnpemnckcfdebeekibpiijlicmpom | 2.0.1 | FALSE | 10,000 | 12/12/24 | 12/31/24 |
| Parrot Talks | kkodiihpgodmdankclfibbiphjkfdenh | 1.16.2 | TRUE | 40,000 | 12/25/24 | 12/31/24 |
| Uvoice | oaikpkmjciadfpddlpjjdapglcihgdle | 1.0.12 | TRUE | 40,000 | 12/26/24 | 12/31/24 |
| Internxt VPN | dpggmcodlahmljkhlmpgpdcffdaoccni | 1.1.1 | 1.2.0 | 10,000 | 12/25/24 | 12/29/24 |
| Bookmark Favicon Changer | acmfnomgphggonodopogfbmkneepfgnh | 4.00 | TRUE | 40,000 | 12/25/24 | 12/31/24 |
| Castorus | mnhffkhmpnefgklngfmlndmkimimbphc | 4.40 | 4.41 | TRUE | 50,000 | 12/26/24 |
| Wayin AI | cedgndijpacnfbdggppddacngjfdkaca | 0.0.11 | TRUE | 40,000 | 12/19/24 | 12/31/24 |
| Search Copilot AI Assistant for Chrome | bbdnohkpnbkdkmnkddobeafboooinpla | 1.0.1 | TRUE | 20,000 | 7/17/24 | 12/31/24 |
| VidHelper – Video Downloader | egmennebgadmncfjafcemlecimkepcle | 2.2.7 | TRUE | 20,000 | 12/26/24 | 12/31/24 |
| Cyberhaven security extension V3 | pajkjnmeojmbapicmbpliphjmcekeaac | 24.10.4 | 24.10.5 | TRUE | 400,000 | 12/24/24 |
One of the compromised extensions, Reader Mode, was part of a separate campaign that began as early as April 2023. The source of the compromise appears to be a code library that developers can use to monetize their extensions. This library collects data about each web visit made by the user, in exchange for which the developers receive a commission. This compromise affected several other extensions as well.
| Name | ID | Version | Patch Available | Users | Start Date | End Date |
| Reader Mode | llimhhconnjiflfimocjggfjdlmlhblm | 1.5.7 | FALSE | 300,000 | 12/18/24 | 12/19/24 |
| Tackker – online keylogger tool | ekpkdmohpdnebfedjjfklhpefgpgaaji | 1.3 | 1.4 | TRUE | 10,000 | 10/6/23 |
| AI Shop Buddy | epikoohpebngmakjinphfiagogjcnddm | 2.7.3 | TRUE | 4,000 | 4/30/24 | |
| Rewards Search Automator | eanofdhdfbcalhflpbdipkjjkoimeeod | 1.4.9 | TRUE | 100,000 | 5/4/24 | |
| ChatGPT Assistant – Smart Search | bgejafhieobnfpjlpcjjggoboebonfcg | 1.1.1 | TRUE | 189 | 2/12/24 |
The Reader Mode extension is one of 13 Chrome extensions known to have used this library to collect potentially sensitive data. These extensions collectively had 1.14 million installations.
Impact and Scope
The incident was limited in both scope and duration:
- Only version 24.10.4 of our Chrome extension was affected
- The malicious code was active between 1:32 AM UTC on December 25 and 2:50 AM UTC on December 26
- Only Chrome-based browsers that auto-updated during this period were impacted
- Our investigation has confirmed that no other Cyberhaven systems, including our CI/CD processes and code signing keys, were compromised
- For browsers running the compromised extension during this period, the malicious code could have exfiltrated cookies and authenticated sessions for certain targeted websites.
- While the investigation is ongoing, our initial findings show the attacker was targeting logins to specific social media advertising and AI platforms.
Required Actions
For customers running version 24.10.4 of our Chrome extension during the affected period (December 24-26, 2024), we strongly recommend:
- Confirm if you have any browsers running the Cyberhaven Chrome extension version 24.10.4 and force an update to version 24.10.5 (currently available in the Chrome Web Store) or newer.
- Rotate Facebook personal and business account passwords for accounts on impacted machines.
- Review all logs to verify no outbound connections to the attacker’s domain or other malicious activity.