Hackers appear to hack legitimate Chrome extensions to steal data.

The cyberattack campaign infiltrated several Chrome browser extensions with the code as early as mid-December, Reuters said yesterday. Specifically, the code was meant to steal browser cookies and authentication sessions, including those from “particular social media advertising and AI platforms,” the post by Cyberhaven stated. Cyberhaven attributes the attack to a phishing email, although in a technical blog dedicated to the incident the coders seemed to focus on Facebook Ads accounts.

Reuters reported that Jaime Blasco, the security researcher, said that the attack was “just random and [was] not aimed at Cyberhaven.” He published on X that he had discovered VPN and AI extensions that had the same exact code injected into Cyberhaven. Other extensions that could possibly be impacted are Internxt VPN, VPNCity, Uvoice, and ParrotTalks, as Bleeping Computer reports.

Cyberhaven has recommendations for companies that my be affected as follows: Companies should monitor their logs for such activity and remove or at least reset any password that is not using FIDO2 multifactor authentication. Before making the posts, the company informed customers, according to an email published by TechCrunch on Friday morning.