Hackers injected malicious code into several Chrome extensions in a recent attack

Hackers have reportedly been able to modify several Chrome extensions with malicious code this month after gaining access to administrator accounts through a phishing campaign. Cybersecurity company Cyberhaven shared in a this weekend that its Chrome extension was compromised on December 24 in an attack that appears to have been “targeted to log into specific advertising social media and artificial intelligence platforms.” Several other expansions were also affected, going back to mid-December, reported. According to Nudge Security’s which includes ParrotTalks, Uvoice and VPNCity.

Cyberhaven notified its customers on December 26 in an email seen by which advised them to revoke and change their passwords and other credentials. The company’s initial investigation into the incident found that the malicious extension targeted Facebook Ads users to steal data such as access tokens, user IDs and other account information, along with cookies. The code also added a mouse click listener. “After successfully sending all data to the (Command & Control) server, the Facebook user ID is saved in the browser’s storage,” Cyberhaven said in its analysis. “This user ID is then used in mouse click events to help attackers with 2FA on their side if needed.”

Cyberhaven said it first discovered the breach on December 25 and was able to remove the malicious version of the extension within an hour. A clean version has since been released.