Ongoing Campaign Targeting Chrome Browser Extensions

Published on 30 Dec 2024

There are reports of an ongoing campaign to steal sensitive information from users of Chrome Browser Extensions. The extensions that have been compromised are observed to contain malicious code that could allow an attacker to exfiltrate authenticated sessions and cookies, enabling the attacker to impersonate the victim without requiring a username or password. This allows the attacker to gain unauthorised access to resources, perform actions on the victims' behalf, or escalate their privileges.

As of 30 December, the following Chrome browser extensions have been confirmed to carry malicious code:

  • AI Assistant - ChatGPT and Gemini for Chrome
  • AI Shop Buddy
  • Bard AI chat
  • Bookmark Favicon Changer
  • Castorus
  • ChatGPT Assistant - Smart Search
  • Cyberhaven security extension V3
  • Earny - Up to 20% Cash Back
  • Email Hunter
  • Internxt VPN
  • Keyboard History Recorder
  • Parrot Talks
  • Primus (prev. PADO)
  • Reader Mode
  • Rewards Search Automator
  • Search Copilot AI Assistant for Chrome
  • Sort by Oldest
  • Tackker - online keylogger tool
  • TinaMind - The GPT-4o-powered AI Assistant!
  • Uvoice
  • VidHelper - Video Downloader
  • Vidnoz Flex - Video recorder & Video share
  • Visual Effects for Google Meet
  • VPNCity
  • Wayin AI

While there are no reports observed locally, users of the affected extensions are advised to uninstall the affected extensions, reset account passwords, clear browser data and reset browser settings to their original defaults before installing a safe version of the extension (if available).

More information is available here:

https://www.cyberhaven.com/blog/cyberhavens-chrome-extension-security-incident-and-what-were-doing-about-it

https://thehackernews.com/2024/12/16-chrome-extensions-hacked-exposing.html

https://secureannex.com/blog/cyberhaven-extension-compromise/

https://www.linkedin.com/posts/jaimeblasco_regarding-the-cyberhaven-chrome-extension-activity-7278237969637941248-qBEj/