chrome + edge · 2024
Cyberhaven wave
Christmas Eve 2024. An attacker phished a Cyberhaven employee's Chrome Web Store credential and pushed a malicious update. 34 further extensions from the same campaign were identified over the following weeks.
What happened
Late on December 24 2024, an attacker phished a Cyberhaven employee with a Chrome Web Store publisher credential and pushed a malicious update to the company's own browser extension. Cyberhaven itself had roughly 400,000 users on the extension at the time. Over the following weeks, researchers at Secure Annex and Sekoia identified further malicious updates from the same campaign covering 35 extensions in total, with a combined install base of approximately 2.6 million users.
Cyberhaven pulled the malicious version within about a day, published a detailed post-mortem, and rotated credentials fleet-wide. The broader campaign, however, ran quieter. Several affected publishers took days or weeks to notice.
How it propagated
The attack chain was consistent across extensions in the wave: a Google Ads-style phishing lure targeting Chrome Web Store publisher accounts, a captured OAuth session, then a version bump pushed through the standard publisher pipeline. Chrome and Edge both auto-update extensions by default, so every install across the fleet pulled the tainted version silently. The payload targeted browser session tokens for identity providers. Facebook Business, ChatGPT, and enterprise SSO cookies.
What Drig sees
The browser_ext collector walks Chrome, Edge, Firefox, and Brave
extension directories on macOS, Linux, and Windows. It streams the
extension ID, publisher, version, and installed permissions. Signed
catalog entries for the wave carry the extension IDs and version ranges;
retro-match reports exposed browsers by user, machine, and profile.
Rotation checklist
- Force-remove flagged extension IDs across every enrolled browser.
- Force IdP re-authentication for all users on affected machines.
- Rotate SaaS session tokens (Google Workspace, Microsoft 365, GitHub, Slack). The payload targeted these directly.
- Rotate password-manager master credentials on the same hosts.
- Audit connected OAuth apps and revoke anything unfamiliar.
Auto-updating marketplaces are the exact place a scheduled-scan model earns its rent. New IOCs land in the catalog; retro-match runs; exposed users show up in the console without a Drig release.