Skip to content
Now taking design partners.Roadmap →

chrome + edge · 2024

Cyberhaven wave

Christmas Eve 2024. An attacker phished a Cyberhaven employee's Chrome Web Store credential and pushed a malicious update. 34 further extensions from the same campaign were identified over the following weeks.

Run this campaignScale: 35 extensions, 2.6M users, 400K on Cyberhaven itself

What happened

Late on December 24 2024, an attacker phished a Cyberhaven employee with a Chrome Web Store publisher credential and pushed a malicious update to the company's own browser extension. Cyberhaven itself had roughly 400,000 users on the extension at the time. Over the following weeks, researchers at Secure Annex and Sekoia identified further malicious updates from the same campaign covering 35 extensions in total, with a combined install base of approximately 2.6 million users.

Cyberhaven pulled the malicious version within about a day, published a detailed post-mortem, and rotated credentials fleet-wide. The broader campaign, however, ran quieter. Several affected publishers took days or weeks to notice.

How it propagated

The attack chain was consistent across extensions in the wave: a Google Ads-style phishing lure targeting Chrome Web Store publisher accounts, a captured OAuth session, then a version bump pushed through the standard publisher pipeline. Chrome and Edge both auto-update extensions by default, so every install across the fleet pulled the tainted version silently. The payload targeted browser session tokens for identity providers. Facebook Business, ChatGPT, and enterprise SSO cookies.

What Drig sees

The browser_ext collector walks Chrome, Edge, Firefox, and Brave extension directories on macOS, Linux, and Windows. It streams the extension ID, publisher, version, and installed permissions. Signed catalog entries for the wave carry the extension IDs and version ranges; retro-match reports exposed browsers by user, machine, and profile.

Rotation checklist

  • Force-remove flagged extension IDs across every enrolled browser.
  • Force IdP re-authentication for all users on affected machines.
  • Rotate SaaS session tokens (Google Workspace, Microsoft 365, GitHub, Slack). The payload targeted these directly.
  • Rotate password-manager master credentials on the same hosts.
  • Audit connected OAuth apps and revoke anything unfamiliar.

Auto-updating marketplaces are the exact place a scheduled-scan model earns its rent. New IOCs land in the catalog; retro-match runs; exposed users show up in the console without a Drig release.