TechFlow news: On January 12, AabyssTeam founder issued a security alert stating that cybersecurity firm Cyberhaven suffered a phishing email attack, resulting in malicious code being implanted into its published browser extension. Affected extensions include Proxy SwitchyOmega (V3) and several other Chrome Web Store add-ons, collectively impacting over 500,000 users.
Yu Xian, founder of SlowMist Technology, analyzed that attackers exploited an OAuth2 attack chain to obtain the extension developer's publishing privileges, then implanted backdoors through the automatic update mechanism. Since browser extensions automatically update upon launch or restart, the malicious code is difficult for users to detect. The implanted malicious code is primarily used to steal user browser cookies and password information. Users are advised to promptly review the security of their installed browser extensions, especially those related to cryptocurrency wallets.




