[CanSSOC Advisory] – Google Chrome Extensions Compromised to Steal Credentials
Threat Assessment*: High

On January 8th, 2025, CanSSOC advised that on December 27, 2024, Cyberhaven publicly disclosed that their Google Chrome extension had been compromised by threat actors to steal user’s’ credentials [1].

What Happened? Cyberhaven publicly disclosed that their Google Chrome extension had been compromised by threat actors to steal user’s’ credentials [1]. This incident is part of a larger campaign by threat actors that has affected about 600,000 users [2]. Security researchers have confirmed that other compromised extensions exhibited similar malicious behavior, communicating with the same command-and-control servers [3]. CanSSOC has since been informed by some of our partners of detections of these compromised extensions within some of their environments.

Who is Impacted? Details:
• Attack Type: Phishing campaign targeting Chrome extension developers
• Impacted Extensions: Over 30+ Chrome extensions [3]
• At least the following extensions were impacted: VPNCity, Parrot Talks, Uvoice, Internxt VPN, Bookmark Favicon Changer, Castorus, Wayin AI, Search Copilot AI Assistant for Chrome, VidHelper – Video Downloader, AI Assistant – ChatGPT and Gemini for Chrome, TinaMind – The GPT-4o-powered AI, Assistant!, Bard AI chat, Reader Mode, Primus (prev. PADO), Tackker – online keylogger tool, AI Shop Buddy, Sort by Oldest, Rewards Search Automator, Earny – Up to 20% Cash Back, ChatGPT Assistant – Smart Search, Keyboard History Recorder, Email Hunter, Visual Effects for Google Meet, Cyberhaven security extension V3, GraphQL Network Inspector, GPT 4 Summary with OpenAI, Vidnoz Flex – Video recorder & Video share, YesCaptcha assistant, Proxy SwitchyOmega (V3), ChatGPT App, Web, Mirror, Hi AI
• Fixed Version(s): Cyberhaven has released a clean update for its affected extension
• Active Exploitation: Evidence of active exploitation across compromised extensions
When did it Happen? • December 27, 2024 (CanSSOC advised on January 8th, 2025)
Actions to Take McMaster Recommendations:
• Affected users that have any of the impacted Chrome extensions installed on their system should notify the McMaster Information Security Team at c-it-security@mcmaster.ca
• Impacted extensions should be removed/uninstalled and out of abundance of caution users should change their password and sign out everywhere.
• The McMaster Information Security Team is monitoring for any installations of the impacted extensions where possible and will notify impacted users.

Where can I learn more? References:
1. [Cyberhaven Blog] – https[:]//www[.]cyberhaven[.]com/blog/cyberhavens-chrome-extension-security-incident-and-what-were-doing-about-it
2. [News] – https[:]//www[.]bleepingcomputer[.]com/news/security/new-details-reveal-how-hackers-hijacked-35-google-chrome-extensions/
3. [Github] – https[:]//github[.]com/anak0ndah/BrowserExtensionHijacked
Resources and Support • Need IT Support?
o Contact UTS quickly and easily with Live Chat!
• Familiarize yourself with Phishing Scams and take the training so you don’t take the bait!
o https://informationsecurity.mcmaster.ca/phishing/
• Report all suspicious messages to is-spam@mcmaster.ca
• Join the McMaster IT Team on Microsoft Teams!