Analysis: the Cyberhaven Chrome extension attack
By Tolga SEZER - 2026-06-28
In December 2024, attackers used OAuth consent phishing to gain Chrome Web Store publishing access and pushed a trojanized update that exfiltrated cookies and session tokens. It is the clearest recent example of update-channel compromise, and version diffing is the defense.
What happened?
A developer received an OAuth consent phishing email impersonating Google's Chrome Web Store team. Approving it gave attackers permission to publish, and they shipped a malicious update to a legitimate, widely-installed extension. The update exfiltrated cookies and authenticated session tokens from users who had already trusted the extension. Reporting tied the same infrastructure to more than thirty other extensions affecting millions of users.
Why did normal review not stop it?
The extension was legitimate and had passed review. The attack arrived as an update to an already-trusted, already-installed extension - the exact case a one-time review does not cover. The malicious behavior was a small addition to an otherwise normal codebase.
How would version diffing have flagged it?
The poisoned update added a new outbound channel carrying session data - behavior absent in the prior version. A cross-version diff plus a sandbox run would have surfaced the new endpoint and the cookie or token payload as a band escalation from clean to dangerous, with the evidence attached.