- A major security breach has hit Chrome browser extensions affecting 16 popular tools.
- The attack on 16 Chrome browser extensions exposed over 600,000 users to potential data theft.
- The attack started in December 2024 and targeted extension developers through phishing campaigns.
In a recent wave of cyberattacks, hackers have compromised at least 16 popular Chrome browser extensions, leaving over 600,000 users vulnerable to data theft and privacy breaches.
The attack, which began in mid-December, exploited browser extensions by injecting malicious code to harvest sensitive user data, including cookies, access tokens, and account credentials.
The attack first came to light when Cyberhaven, a data security company, discovered their Chrome extension had been compromised on Christmas Eve, which uncovered the attack. What appeared to be an isolated incident quickly became part of a larger coordinated campaign that targeted extension developers with sophisticated phishing attacks.
Cyberhaven: The first victim
Cyberhaven, a cybersecurity company based in California, was one of the first to detect the breach. On December 24, attackers exploited its browser extension and injected malicious code that communicated with an external Command and Control (C&C) server located on a suspicious domain. This server enabled the theft of data, including tokens for Facebook business accounts.
16 Chrome extensions attacked
Cybersecurity experts have confirmed that this was not an isolated incident. Several other extensions have been similarly compromised. Some of the affected extensions include:
- AI Assistant for ChatGPT and Gemini
- Bard AI Chat Extension
- GPT 4 Summary
- Search Copilot AI Assistant
- TinaMInd AI Assistant
- Wayin AI
- VPNCity
- Internxt VPN
- Vindoz Flex Video Recorder
- VidHelper Video Downloader
- Bookmark Favicon Changer
- Castorus
- Uvoice
- Reader Mode
- Parrot Talks
- Primus
These extensions spanned various categories, targeting users across AI, VPN, and productivity platforms.
Status of 16 hijacked Chrome extensions
While some extensions have already been updated or removed from the Chrome Web Store, experts warn that users remain at risk if compromised versions are still active on their browsers.
Cyberhaven swiftly released a secure update for their extension and implemented new secure version (24.10.5) to prevent future incidents. Other affected developers have taken similar actions.
“We have yet to see any other websites targeted, which makes us believe that this attack was a generic, non-targeted attack aimed at facebook.com advertising users,” Cyberhaven said.
What should affected Chrome extension users do?
Or Eshed, CEO of LayerX Security says, “Browser extensions often have access to sensitive user information like cookies, access tokens, and identity data. Many organizations don’t track their installed extensions or know their security risks.”
To protect against the Chrome extension threat, we advise you to update browser extensions to the latest versions frequently and monitor browser activity for unusual behavior.
0
Chandramohan Rajput is the Senior Editor of Extension Garden, where he has been covering Chrome extensions, tech news, and in-depth how-tos since 2019. When he's not exploring new tech, you can find him playing cricket or immersed in Counter-Strike 2.
