SquareX Researchers Expose OAuth Attack on Chrome Extensions Days Before Major Breach

SquareX disclosed a series of OAuth-based phishing attacks targeting Chrome Extension developers that enabled attackers to hijack developer accounts and publish malicious updates; a malicious version of the Cyberhaven extension was briefly available on the Chrome Store (over 400,000 users) and was used to steal credentials and exfiltrate sensitive information. SquareX had demonstrated similar extension abuse techniques days earlier (MV3 extension misuse to steal cookies, video streams, and add silent collaborators), and recommends organizations monitor and block unauthorized OAuth interactions and suspicious extension updates.