Hackers have injected malicious code into several Chrome extensions in recent attacks

Hackers were reportedly able to replace several Chrome extensions with malicious code this month after gaining access to administrator accounts through a phishing campaign. Cybersecurity firm Cyberhaven shared this weekend that its Chrome extension was compromised on December 24 in an attack that appears to “target logins to certain social media and AI platforms.” Several other extensions were also struck, going back to mid-December, report. According to Nudge Security’s, that includes ParrotTalks, Uvoice and VPNCity.

Cyberhaven notified its customers on December 26 in an email seen by advised them to revoke and replace their passwords with other credentials. The company’s initial investigation into the incident found that the malicious extension targeted Facebook Ads users, with the intention of stealing data such as access tokens, user IDs and other account information, as well as cookies. The code also adds a mouse click listener. “After successfully sending all the data to [Command & Control] server, the Facebook user ID is stored in the browser’s storage,” Cyberhaven said in its analysis. “That user ID is then used in mouse click events to help attackers with 2FA on their side if needed.”

Cyberhaven said it first discovered the breach on December 25 and was able to remove the malicious version of the extension within an hour. A clean version has since been released.