Article Details

Supply chain attack hits Chrome extensions, could expose millions. Threat actor exploited phishing and OAuth abuse to inject malicious code. Cybersecurity outfit Sekoia is warning Chrome users of a supply chain attack targeting browser extension developers that has potentially impacted hundreds of thousands of individuals already. Dozens of Chrome extension developers have fallen victim to the attacks thus far, which aimed to lift API keys, session cookies, and other authentication tokens from websites such as ChatGPT and Facebook for Business. Sekoia examined the infrastructure used for the wide-scale phishing campaign targeting devs and traced it back to similar attacks as far back as 2023 with "high confidence." The latest known campaign activity occurred on December 30, 2024, however. Among the victims was California-based Cyberhaven, which makes a cloud-based data protection tool. The company was one of the unfortunate ones to detect the compromise over the holiday period on Boxing Day 2024 – a discovery that was widely reported at the time. Booz Allen Hamilton analyzed the incident at Cyberhaven and backed up the vendor's suspicions that it was part of a wider campaign. Its accompanying report [PDF] to the Cyberhaven analysis revealed a long list of other extensions it believes were likely affected, taking the potential number of affected end users into the millions. Sekoia published a less comprehensive list in its research, although the same extensions appear on both lists. A number of the potentially affected extensions (according to Booz Allen Hamilton's report) appear to have been pulled from the Chrome Web Store at the time of writing. The pages belonging to many of the others show they have been updated since Cyberhaven's incident, although very few have publicly acknowledged an incident. One outlier was Reader Mode, whose founder Ryzal Yusoff penned an open letter to its circa 300,000 users, informing them of a December 5 breach.  "On December 5, 2024, our developer account was compromised due to a phishing email that mimicked official Chrome Web Store communications," said Yusoff. "This breach allowed unauthorized parties to upload malicious versions of the Reader Mode extension (1.5.7 and 1.5.9) to the Chrome Web Store. The attack was discovered on December 20, 2024, after Google issued warnings identifying phishing attempts linked to this breach. "The malicious versions of the extension may have included unauthorized scripts designed to collect user data or perform other harmful actions. If you installed or updated the Reader Mode extension between December 7 and December 20, 2024, your browser may have been affected." Jaime Blasco, co-founder and CTO at Austin-based Nudge Security, also named a number of extensions in a series of online posts he suspected were compromised, many of which also appeared in Booz's report. Chrome support impersonation The attacker targeted dev teams with phishing emails seemingly from Chrome Web Store Developer Support, mimicking official communication, according to Yusoff and Sekoia.  The sample email, which appears in the report, shows the warnings that extensions may be pulled from Chrome over fake rule violations, such as unnecessary details in the extension's description. Victims were lured into clicking a link disguised as an explanation of Chrome Web Store policies. The link led to a legitimate Google Accounts page, where they were prompted to approve access for a malicious OAuth app. Once developers granted the app permission, the attacker gained everything needed to upload compromised versions of their extensions to the Chrome Web Store. The researchers said it's likely the devs' emails were gathered from the Chrome Web Store, where such information may be accessible. Probing the infrastructure Using the two domains associated with the phishing emails, Sekoia was able to uncover the other domain names used in this campaign and those likely involved in previous attacks by the same miscreants. The domain names used as the attacker's command and control (C2) servers were hosted at just two IP addresses, and using passive DNS resolutions, the researchers believe they uncovered possibly all the domains that were compromised in the campaign.  Sekoia said it was "straightforward" to uncover the domain names used in the latest attack and the ones used in 2023 since the same registrar (Namecheap) was used every time, and the DNS setups and TLS configs were consistent. "The domain naming convention and their creation dates indicate that the attacker's campaigns have been active since at least December 2023," Sekoia wrote in a blog post. "It is possible that the websites redirecting to allegedly malicious Chrome extensions were promoted through SEO poisoning or malvertising. "Sekoia analysts believe that this threat actor has specialized in spreading malicious Chrome extensions to harvest sensitive data. At the end of November 2024, the attacker shifted his modus operandi from distributing his own malicious Chrome extensions via fake websites to compromising legitimate Chrome extensions by phishing emails, malicious OAuth applications, and malicious code injected into compromised Chrome extensions."