Data-loss prevention startup Cyberhaven has disclosed a supply chain attack that compromised its Chrome extension, potentially exposing customer passwords and session tokens to hackers.
The breach, revealed in an email sent to affected users, occurred on December 25 when attackers used a compromised company account to publish a malicious update.
The compromised update, version 24.10.4, allowed attackers to exfiltrate sensitive data such as authenticated sessions and cookies to their domain. Cyberhaven confirmed the attack to TechCrunch but declined to provide detailed comments. The company removed the malicious extension later that day and released a secure version, 24.10.5, shortly after.
Cyberhaven, which has approximately 400,000 corporate users for its extension, advised affected customers to revoke and rotate credentials, such as passwords and API tokens, and to review their logs for potential malicious activity. The email did not specify if credentials stored in Chrome should also be updated.
The attack appears to be part of a broader campaign targeting Chrome extension developers. Jaime Blasco, CTO of Nudge Security, noted that several other extensions, including those related to AI, productivity, and VPNs, were compromised in similar incidents. Cyberhaven stated it is working with Mandiant and federal law enforcement to investigate and strengthen its security practices.
The full extent of the attack remains unclear, as does the identity of the threat actors responsible for the campaign. Cyberhaven’s high-profile customers, including Motorola, Reddit, and Snowflake, add urgency to the situation as the company continues its investigation.
