Cyberhaven, a leading provider of data loss prevention (DLP) solutions, disclosed a significant security breach involving its Chrome extension.
On December 24, 2024, a targeted cyberattack compromised an administrator account, allowing attackers to publish a malicious update (version 24.10.4) to the Chrome Web Store. The update was automatically deployed to users early on December 25, 2024.
The malicious extension enabled attackers to exfiltrate sensitive user data, including authenticated sessions and cookies, to a rogue domain (cyberhavenext[.]pro).
The exfiltration domain remained active from 1:32 AM UTC on December 25 until 2:50 AM UTC on December 26, posing a critical risk to users’ data security.
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide
Cyberhaven’s internal security team detected the compromise at 11:54 PM UTC on December 25 and removed the malicious package within an hour.
A clean version (24.10.5) was released on December 26, removing the malicious code. Cyberhaven is also preparing an additional update (24.10.6) with telemetry features to help identify affected endpoints.
The compromised extension could have exposed sensitive information from browsers running version 24.10.4. In response, Cyberhaven has issued the following recommendations for impacted users:
Cyberhaven confirmed that versions of the extension hosted outside the Chrome Web Store, such as those for Firefox or Edge, were not affected.
Cyberhaven has engaged federal law enforcement and cybersecurity firm Mandiant to investigate the breach further. The company emphasized its commitment to transparency and customer trust, stating: “We are acting on our core values of maximum transparency to retain the trust we have earned from you.”
Secure Annex has shared technical details of the attack to aid in detection and mitigation:
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
English 
Français