Incident analysis

Analysis: the Cyberhaven Chrome extension attack

By Tolga SEZER - 2026-06-28

In short

In December 2024, attackers used OAuth consent phishing to gain Chrome Web Store publishing access and pushed a trojanized update that exfiltrated cookies and session tokens. It is the clearest recent example of update-channel compromise, and version diffing is the defense.

What happened?

A developer received an OAuth consent phishing email impersonating Google's Chrome Web Store team. Approving it gave attackers permission to publish, and they shipped a malicious update to a legitimate, widely-installed extension. The update exfiltrated cookies and authenticated session tokens from users who had already trusted the extension. Reporting tied the same infrastructure to more than thirty other extensions affecting millions of users.

Why did normal review not stop it?

The extension was legitimate and had passed review. The attack arrived as an update to an already-trusted, already-installed extension - the exact case a one-time review does not cover. The malicious behavior was a small addition to an otherwise normal codebase.

How would version diffing have flagged it?

The poisoned update added a new outbound channel carrying session data - behavior absent in the prior version. A cross-version diff plus a sandbox run would have surfaced the new endpoint and the cookie or token payload as a band escalation from clean to dangerous, with the evidence attached.

FAQ

Common questions

Was the Cyberhaven extension itself malware?
No. It was a legitimate extension whose publishing account was compromised through OAuth consent phishing, after which attackers pushed a malicious update.
What is the lesson for defenders?
Trust is per-version, not per-extension. Re-analyze and diff every update, and watch for new outbound channels carrying session data.