The attack vector, according to cybersecurity firm Cyberhaven, was a phishing email that led to the insertion of malicious code. While Cyberhaven believes the attack was aimed at Facebook Ads accounts, security researcher Jaime Blasco suggests the campaign was more indiscriminate, noting similar code found in various VPN and AI extensions. This indicates a broader scope than initially believed.

Several Chrome extensions appear to be affected, including Internxt VPN, VPNCity, Uvoice, and ParrotTalks, in addition to Cyberhaven's data loss prevention extension. The malicious code was deployed through a compromised update on Christmas Eve, specifically targeting version 24.10.4 of the Cyberhaven extension.

Cyberhaven detected the malicious activity the day after its deployment and swiftly removed the code, subsequently releasing a clean version in their 24.10.5 update. Despite the rapid response, the malicious code was active for over 24 hours.

In response to the incident, Cyberhaven is advising affected companies to monitor their logs for suspicious activity and consider revoking or rotating passwords, particularly those not secured by FIDO2 multifactor authentication. The company also notified its customers of the breach before publicly disclosing the incident.