While you’re wrapping presents or spending time with friends and family at Christmas, hackers are busy looking for ways to steal your data. Reuters reported that several companies have seen Chrome browser extensions hijacked by cybercriminals in recent times, such as data protection company Cyberhaven on December 24.
“On December 24, a phishing attack compromised Cyberhaven employees’ credentials to the Google Chrome Web Store,” Cyberhaven CEO Howard Ting said on the company’s blog. “The attacker used these credentials to publish a version of our Chrome extension (version 24.10.4). Our security team detected this compromise at 11:54 PM UTC on December 25th and removed the malicious package within 60 minutes.
Ting said only Chrome-based browsers that automatically updated when the malicious code was active from 1:32 AM UTC on December 25 to 2:50 AM UTC on December 26 were affected. All users affected by the hack were notified by Cyberhaven on December 26, and the team has since released a secure version of the extension.
Unfortunately, this is not an isolated incident for Chrome extensions.
Nudge Security co-founder Jaime Blasco tells us Reuters that hackers have hijacked other browser extensions, showing this is part of a larger attack. In X, Blasco pointed to several other extensions with malicious code found in the Chrome Web Store:
- Internxt VPN – Free, Encrypted & Unlimited VPN (10,000 users)
- VPNCity – Fast & Unlimited VPN | Unblocker (50,000 users)
- Uvoice (40,000 users)
- ParrotTalks (40,000 users)
Even that is just the tip of the iceberg. In a lengthy blog post that is still regularly updated, cybersecurity practitioner John Tuckner found more extensions containing known malicious code (via Computer Bleeps): Bookmark Favicon Changer, Castorus, Wayin AI, Search Copilot AI Assistant, VidHelper, Vidnoz Flex, TinaMind, Primus, AI Shop Buddy, Sort by Oldest, Earny, ChatGPT Assistant, Keyboard History Recorder, and Email Hunter.
If you use one of these extensions, you should check to see if they have been updated recently and if the developer is aware of this attack. Either way, you might want to reset all of your passwords if you think there’s a chance you’ve been compromised.
