16 Chrome Extensions Hacked, Over 600,000 Customers Uncovered to Information Theft

Faheem

December 29, 2025Ravi LakshmananEndpoint Safety / Browser Safety

Chrome extensions

A brand new assault marketing campaign has focused well-liked Chrome browser extensions, compromising at the very least 16 extensions and exposing greater than 600,000 customers to information publicity and credential theft.

The assault focused publishers of browser extensions on the Chrome Net Retailer with a phishing marketing campaign and used their entry permissions to inject malicious code into reputable extensions to steal cookies and consumer entry tokens.

The primary firm to be uncovered was cyber safety agency Cyberhaven.

On December 27, Cyberhaven disclosed {that a} menace actor compromised its browser extension and downloaded extra configuration information to speak with an exterior command and management (C&C) server positioned on the Cyberhavenxt(.)professional area. Put in malicious code to load, and delete consumer information.

“Browser extensions are the tender underbelly of internet safety,” says Ya Ashed, CEO of LayerX Safety, which focuses on browser extension safety. “Though we consider browser extensions as innocent, in observe, they’re usually granted broad permissions to delicate consumer info equivalent to cookies, entry tokens, id info, and extra.

Cybersecurity

“Many organizations do not even know what extensions they’ve put in on their endpoints, they usually’re not conscious of the extent of their publicity,” says Ishad.

After information of the Cyber ​​Haven breach broke, extra extensions that had been compromised and speaking with the identical C&C server had been shortly recognized.

Jamie Blasko, CTO of SaaS safety firm Nudge Safety, recognized extra domains resolving to the identical IP handle of the C&C server used for the Cyberhaven breach.

Further browser extensions presently suspected of being compromised embody:

  • AI Assistant – Chat GPT and Gemini for Chrome
  • Bard AI Chat Extension
  • Abstract of GPT 4 with OpenAI
  • Discover Copilot AI Assistant for Chrome.
  • Tina Mund AI Assistant
  • Wayne AI
  • VPNCity
  • Internxt VPN
  • Home windows Flex Video Recorder
  • VidHelper Video Downloader
  • Bookmark Favicon Changer
  • Castors
  • Yves
  • Reader mode
  • Parrot discuss
  • Primus

These extra compromised extensions point out that Cyberhaven was not a one-time goal however a part of a wider assault marketing campaign focusing on reputable browser extensions.

Cybersecurity

Cyberhaven’s evaluation of the compromise signifies that the malicious code focused id information and entry tokens to Fb accounts, and Fb enterprise accounts particularly:

User Data Collected by Compromised Cyber ​​Haven Browser Extension (Source: Cyber ​​Haven)
Consumer Information Collected by Compromised Cyber ​​Haven Browser Extension (Supply: Cyber ​​Haven)

Cyberhaven says the malicious model of the browser extension was eliminated about 24 hours after it went reside. Another uncovered extensions have additionally already been up to date or faraway from the Chrome Net Retailer.

Nevertheless, the truth that an extension was faraway from the Chrome Retailer does not imply publicity is over, Or Eshed says. “So long as a compromised model of the extension is alive on the endpoint, hackers can nonetheless entry it and extract information,” he says.

Safety researchers proceed to search for extra uncovered extensions, however the sophistication and breadth of this assault marketing campaign has prompted many organizations to safe their browser extensions.

Did you discover this text attention-grabbing? Comply with us. Twitter And LinkedIn to learn extra unique content material we publish.

Leave a Comment