Cyberhaven Chrome Extension Hijacked to Deliver Credential-Stealing Update
Cyberhaven said attackers compromised its Google Chrome extension publishing process and pushed a malicious update that could steal credentials and other sensitive browser data from affected users. Reporting indicates the trojanized extension targeted logged-in sessions and authentication material, with the incident drawing attention because Cyberhaven is itself a cybersecurity company. The compromise affected the company's browser extension distributed through the Chrome Web Store, turning a trusted security tool into a delivery mechanism for data theft.
Follow-up reporting and incident write-ups said the malicious version was removed and replaced after discovery, while customers were urged to identify impacted endpoints, revoke exposed credentials, rotate passwords, and review browser activity for signs of session or token theft. The case highlights a software supply-chain style attack against browser extensions, where attackers abused a vendor's update channel to distribute malware under the guise of a legitimate signed release.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Reports link Cyberhaven incident to 35-extension hijacking campaign
Security reporting said the same operation had compromised at least 35 Chrome extensions affecting roughly 2.6 million users. The reports also described a fake Chrome Web Store policy email lure that tricked developers into authorizing a malicious OAuth app, enabling attackers to publish tampered extensions aimed at stealing Facebook-related tokens and account data.
Cyberhaven discloses incident and publishes customer guidance
Cyberhaven publicly confirmed that its Chrome extension had been compromised and advised customers to rotate passwords, revoke tokens, and review logs for suspicious activity. Security reporting also highlighted that the campaign may have affected other Chrome extensions through similar publisher-account compromises.
Cyberhaven detects compromise and removes malicious extension
Cyberhaven identified the unauthorized extension update, revoked the attacker's access, and removed the malicious version from distribution. The company began incident response and notified customers about the compromise.
Malicious Cyberhaven Chrome extension update published
Using the compromised publisher account, the attacker published a malicious version of Cyberhaven's Chrome extension that was designed to exfiltrate sensitive data, including authenticated sessions and credentials from affected users. Reporting indicates the malicious update was available through the Chrome Web Store before it was detected and removed.
Threat actor compromises Cyberhaven employee account via phishing
Cyberhaven said the incident began when a threat actor successfully phished an employee and used the stolen credentials to access the company's Chrome Web Store publisher account. This access enabled the attacker to tamper with the Cyberhaven browser extension release process.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
New details reveal how hackers hijacked 35 Google Chrome extensions
bleepingcomputer.com
Open sourceCybersecurity firm's Chrome extension hijacked to steal users' data
bleepingcomputer.com
Open sourceCyber firm's Chrome extension hijacked to steal user passwords | TechCrunch
techcrunch.com
Open sourceCyberhaven Extension Compromise | Annex Blog
secureannex.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious Chrome Extensions Used for Credential Theft and Website Spoofing
Security researchers reported a surge in **malicious Chrome extensions** abusing high-privilege browser permissions to steal credentials and hijack authenticated sessions. LayerX identified at least **16 ChatGPT-related extensions** that mimic legitimate productivity tools and brands, then inject scripts into `chatgpt.com` to monitor outbound web requests and **exfiltrate authorization details and session tokens** to attacker-controlled infrastructure. With stolen tokens, attackers can impersonate victims’ ChatGPT sessions and potentially access connected data sources (e.g., integrations with *Slack* and *GitHub*), expanding impact beyond the AI service itself. Separately, Varonis documented a **malware-as-a-service** browser-extension toolkit dubbed **Stanley** being sold on Russian-language cybercrime forums, marketed to enable large-scale credential theft by **showing a phishing site while the URL bar continues to display the legitimate domain**. The toolkit uses a web-based control panel to configure per-victim “source” (legitimate) and “target” (phishing) URLs, then overlays a full-screen iframe to spoof the destination site; the seller also claims “guaranteed” placement in the **Chrome Web Store**, increasing the likelihood of user installation and enterprise exposure.
Jun 29, 2026
Malicious Chrome Extensions Used for Data Theft via Ownership Transfers and Impersonation
Multiple **malicious Chrome/Chromium extensions** were identified abusing the Chrome Web Store to steal data from users and enterprises. Two previously legitimate extensions—**QuickLens** (`kdenlnncndfnhkognokgfpabgkgehodd`) and **ShotBird** (`gengfhhkjekmlejbhmmopegofnoifnjp`)—reportedly turned malicious after **ownership transfers**, enabling downstream compromise through injected code and data harvesting. In the QuickLens case, researchers reported the malicious update preserved expected functionality while adding capabilities to **strip security headers** (e.g., `X-Frame-Options`) and facilitate script injection that can bypass **Content Security Policy (CSP)** protections, expanding the attacker’s ability to make cross-domain requests and collect sensitive information. Separately, Microsoft reported a campaign of **counterfeit “AI assistant” browser extensions** distributed via the Chrome Web Store (and therefore also impacting Microsoft Edge environments that allow Chrome extensions), which allegedly affected **20,000+ enterprise tenants** and amassed roughly **900,000 installs**. These extensions impersonated legitimate AI productivity tools and harvested **ChatGPT/DeepSeek conversation histories**, visited URLs, and browsing telemetry, staging data for exfiltration to attacker-controlled infrastructure. Another Chrome Web Store threat involved a fake **imToken**-branded extension (“lmΤoken Chromophore”) that masqueraded as a benign tool but redirected victims to phishing infrastructure to steal **seed phrases and private keys**, using tactics like hardcoded remote configuration (via JSONKeeper) and decoy navigation to the legitimate `token.im` site after credential capture.
Jun 29, 2026
Malicious Browser Extensions Used for Enterprise Backdoors and Session Hijacking
Security researchers reported multiple **malicious browser-extension** campaigns abusing official extension stores and search-driven lures to compromise enterprise users. Huntress documented a Chrome Web Store extension, **“NexShield – Advanced Web Guardian”** (a near-clone of *uBlock Origin Lite*), distributed via search/advertising redirection and designed to intentionally “freeze” the browser and present a fake **CrashFix** security prompt that instructs users to paste and run commands via `Win + R`; this social-engineering step results in installation of a previously undocumented Windows RAT dubbed **ModeloRAT** on domain-joined endpoints. Reporting also tied the delivery to a traffic distribution system (**KongTuke**, also tracked as **404 TDS/TAG-124** and other aliases) used to profile victims and route them to payload delivery infrastructure that has been leveraged by other criminal operations, including ransomware affiliates. Separately, Socket.dev analysis described **five coordinated Chrome extensions** targeting enterprise SaaS platforms (**Workday, NetSuite, SuccessFactors**) to enable account takeover via **session hijacking**, including continuous token theft and **bidirectional cookie injection** that can bypass MFA by replaying stolen session cookies. In parallel, Malwarebytes reported “sleeper” extension campaigns attributed to **DarkSpectre** (including **GhostPoster** and **ShadyPanda**) that turned previously benign extensions malicious after updates and used **steganography** (JavaScript hidden in extension images) to evade detection across **Edge, Chrome, and Firefox**, with large download counts and long dwell time. A separate Nextron Systems report described a related distribution pattern—malicious “free converter” apps promoted via **malicious Google ads** and made to look legitimate with **code-signing certificates**—highlighting the broader trend of search/advertising-driven initial access leading to persistent RAT deployment, though it is not the same extension-specific incident as the NexShield/CrashFix chain.
Jun 29, 2026