# [HIGH] It's time to treat browser extensions like supply chain attack vectors **Source:** Aikido **Published:** 2026-04-24 **Article:** https://www.aikido.dev/blog/browser-extensions-supply-chain-attack ## Threat Profile Blog Vulnerabilities & Threats It's time to treat browser extensions like supply chain attack vectors It's time to treat browser extensions like supply chain attack vectors Written by Dania Durnas Published on: Apr 25, 2026 You would never install an application that can log into your Google docs, read your keystrokes in your browser, intercepts requests in transit, runs continuously, updates silently, AND could be powerful enough to steal your passwords, right? Well, this is more or less what b… ## Indicators of Compromise (high-fidelity only) - _No high-fidelity IOCs in the RSS summary._ If the source publishes a technical write-up with defanged IOCs in the body, those would be picked up automatically on the next pipeline run. ## MITRE ATT&CK Techniques - **T1176** — Browser Extensions - **T1539** — Steal Web Session Cookie - **T1555.003** — Credentials from Web Browsers - **T1005** — Data from Local System - **T1566.002** — Spearphishing Link - **T1204.001** — User Execution: Malicious Link - **T1059.001** — PowerShell - **T1566.001** — Spearphishing Attachment - **T1204.002** — User Execution: Malicious File - **T1059.005** — Visual Basic - **T1218** — System Binary Proxy Execution - **T1528** — Steal Application Access Token - **T1098.001** — Account Manipulation: Additional Cloud Credentials - **T1195.002** — Compromise Software Supply Chain - **T1071.001** — Application Layer Protocol: Web Protocols - **T1195.002** — Supply Chain Compromise: Compromise Software Supply Chain - **T1550.001** — Use Alternate Authentication Material: Application Access Token - **T1189** — Drive-by Compromise - **T1566** — Phishing ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Cyberhaven compromised Chrome extension C2 callback (cyberhavenext.pro) `UC_354_8` · phase: **c2** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic where (All_Traffic.dest in ("149.28.124.84","45.76.225.148") OR All_Traffic.dest_host="cyberhavenext.pro" OR like(All_Traffic.dest_host,"%.cyberhavenext.pro")) by All_Traffic.src All_Traffic.user All_Traffic.dest All_Traffic.dest_host All_Traffic.dest_port All_Traffic.app | `drop_dm_object_name(All_Traffic)` | convert ctime(firstTime) ctime(lastTime) | append [ | tstats summariesonly=true count from datamodel=Network_Resolution.DNS where DNS.query="*cyberhavenext.pro" by DNS.src DNS.query DNS.answer | `drop_dm_object_name(DNS)` ] ``` **Defender KQL:** ```kql let BadDomains = dynamic(["cyberhavenext.pro"]); let BadIPs = dynamic(["149.28.124.84","45.76.225.148"]); DeviceNetworkEvents | where Timestamp > ago(180d) | where RemoteUrl has_any (BadDomains) or RemoteIP in (BadIPs) | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort, Protocol | order by Timestamp desc ``` ### Context.ai compromised Chrome extension installed on host (ID omddlmnhcofjbnbflmjginpjjblphbgk) `UC_354_9` · phase: **install** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_path="*\\Google\\Chrome\\User Data\\*\\Extensions\\omddlmnhcofjbnbflmjginpjjblphbgk*" OR Filesystem.file_path="*\\Google\\Chrome\\User Data\\*\\Sync Extension Settings\\omddlmnhcofjbnbflmjginpjjblphbgk*") by Filesystem.dest Filesystem.user Filesystem.file_path Filesystem.file_name Filesystem.process_name | `drop_dm_object_name(Filesystem)` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql let ExtId = "omddlmnhcofjbnbflmjginpjjblphbgk"; union (DeviceFileEvents | where Timestamp > ago(180d) | where FolderPath has ExtId | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, FileName, FolderPath), (DeviceProcessEvents | where Timestamp > ago(180d) | where ProcessCommandLine has ExtId | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, FolderPath) | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), Evidence=make_set(strcat(FileName, " :: ", FolderPath), 10) by DeviceName, InitiatingProcessAccountName | order by FirstSeen asc ``` ### First-time OAuth consent granting Drive/Mail read scope to non-sanctioned third-party app `UC_354_10` · phase: **delivery** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl `azure_audit_logs` (OperationName="Consent to application" OR OperationName="Add OAuth2PermissionGrant" OR OperationName="Add delegated permission grant") | spath output=AppName path="TargetResources{}.displayName" | spath output=ConsentValues path="TargetResources{}.modifiedProperties{}.newValue" | eval Scopes=mvjoin(ConsentValues,",") | search Scopes IN ("*Files.Read*","*Files.ReadWrite*","*Mail.Read*","*Mail.ReadWrite*","*Sites.Read.All*","*offline_access*","*https://www.googleapis.com/auth/drive*") | spath output=Initiator path="InitiatedBy.user.userPrincipalName" | stats min(_time) as firstSeen count by Initiator AppName Scopes | eventstats values(AppName) as KnownApps by Initiator | where firstSeen > relative_time(now(), "-7d@d") | convert ctime(firstSeen) ``` **Defender KQL:** ```kql CloudAppEvents | where Timestamp > ago(30d) | where ActionType in~ ("Consent to application", "Add app role assignment grant to user", "Add delegated permission grant to user") | extend Raw = parse_json(RawEventData) | extend AppName = tostring(Raw.Target[0].ID) | extend ModProps = Raw.ModifiedProperties | extend ScopeText = tostring(ModProps) | where ScopeText has_any ("Files.Read","Files.ReadWrite","Mail.Read","Mail.ReadWrite","Sites.Read.All","offline_access","googleapis.com/auth/drive","googleapis.com/auth/documents") | summarize FirstSeen=min(Timestamp), GrantCount=count() by AccountObjectId, AccountDisplayName, AppName, IPAddress, CountryCode | where FirstSeen > ago(7d) | order by FirstSeen desc ``` ### Roblox cheat/exploit download on enterprise endpoint (Lumma Stealer entry vector) `UC_354_11` · phase: **delivery** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_path="*\\Downloads\\*" OR Filesystem.file_path="*\\Desktop\\*" OR Filesystem.file_path="*\\Temp\\*") (Filesystem.file_name="*synapse*" OR Filesystem.file_name="*krnl*" OR Filesystem.file_name="*fluxus*" OR Filesystem.file_name="*hydrogen*" OR Filesystem.file_name="*argon*" OR Filesystem.file_name="*wave_executor*" OR Filesystem.file_name="*autofarm*" OR Filesystem.file_name="*auto-farm*" OR Filesystem.file_name="*roblox-exploit*" OR Filesystem.file_name="*robloxexploit*") by Filesystem.dest Filesystem.user Filesystem.file_name Filesystem.file_path Filesystem.process_name | `drop_dm_object_name(Filesystem)` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql let CheatNames = dynamic(["synapse","krnl","fluxus","hydrogen","argon","wave_executor","wave-executor","autofarm","auto-farm","roblox-exploit","robloxexploit","roblox_bypass"]); let CheatHosts = dynamic(["wearedevs.net","krnl.cat","krnl.place","krnl.live","fluxteam.net","synapsex.to","hydrogenwave.com","getsynapse.cc"]); union (DeviceFileEvents | where Timestamp > ago(30d) | where FolderPath has_any ("\\Downloads\\","\\Desktop\\","\\Temp\\","\\AppData\\Local\\Temp\\") | where FileName has_any (CheatNames) | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, FileName, FolderPath, FileOriginUrl, FileOriginIP), (DeviceNetworkEvents | where Timestamp > ago(30d) | where InitiatingProcessFileName in~ ("chrome.exe","msedge.exe","firefox.exe","brave.exe","opera.exe") | where RemoteUrl has_any (CheatHosts) | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteUrl, RemoteIP) | order by Timestamp desc ``` ### Suspicious browser extension installation `UC_BROWSER_EXT` · phase: **install** · confidence: **Medium** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where (Registry.registry_path="*\Software\Google\Chrome\Extensions\*" OR Registry.registry_path="*\Software\Microsoft\Edge\Extensions\*" OR Registry.registry_path="*\Software\Mozilla\Firefox\Extensions\*") by Registry.dest, Registry.registry_path, Registry.registry_value_data, Registry.registry_value_name, Registry.user | `drop_dm_object_name(Registry)` ``` **Defender KQL:** ```kql DeviceRegistryEvents | where Timestamp > ago(7d) | where InitiatingProcessAccountName !endswith "$" | where RegistryKey has_any ("\Software\Google\Chrome\Extensions\","\Software\Microsoft\Edge\Extensions\","\Software\Mozilla\Firefox\Extensions\") | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessAccountName ``` ### Infostealer — non-browser process accessing browser cookie/login DBs `UC_BROWSER_STEALER` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_path="*\Google\Chrome\User Data\*\Login Data*" OR Filesystem.file_path="*\Google\Chrome\User Data\*\Cookies*" OR Filesystem.file_path="*\Microsoft\Edge\User Data\*\Login Data*" OR Filesystem.file_path="*\Mozilla\Firefox\Profiles\*\logins.json*" OR Filesystem.file_path="*\Mozilla\Firefox\Profiles\*\cookies.sqlite*") AND NOT Filesystem.process_name IN ("chrome.exe","msedge.exe","firefox.exe","brave.exe","opera.exe") by Filesystem.dest, Filesystem.process_name, Filesystem.file_path, Filesystem.user | `drop_dm_object_name(Filesystem)` ``` **Defender KQL:** ```kql DeviceFileEvents | where Timestamp > ago(7d) | where InitiatingProcessAccountName !endswith "$" | where FolderPath has_any (@"\Google\Chrome\User Data\", @"\Microsoft\Edge\User Data\", @"\Mozilla\Firefox\Profiles\") | where FileName in~ ("Login Data","Cookies","logins.json","cookies.sqlite") | where InitiatingProcessFileName !in~ ("chrome.exe","msedge.exe","firefox.exe","brave.exe","opera.exe") | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, FolderPath, FileName, ActionType ``` ### Crypto-wallet file/keystore access by non-wallet process `UC_CRYPTO_WALLET` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_path="*\Ethereum\keystore\*" OR Filesystem.file_path="*\Bitcoin\wallet.dat" OR Filesystem.file_path="*\Exodus\exodus.wallet*" OR Filesystem.file_path="*\Electrum\wallets\*" OR Filesystem.file_path="*\MetaMask\*" OR Filesystem.file_path="*\Phantom\*" OR Filesystem.file_path="*\Atomic\Local Storage\*") AND NOT Filesystem.process_name IN ("MetaMask.exe","Exodus.exe","Atomic.exe","electrum.exe","Bitcoin.exe","Phantom.exe") by Filesystem.dest, Filesystem.process_name, Filesystem.file_path, Filesystem.user | `drop_dm_object_name(Filesystem)` ``` **Defender KQL:** ```kql DeviceFileEvents | where Timestamp > ago(7d) | where InitiatingProcessAccountName !endswith "$" | where FolderPath has_any (@"\Ethereum\keystore\", @"\Bitcoin\", @"\Exodus\", @"\Electrum\wallets\", @"\MetaMask\", @"\Phantom\", @"\Atomic\Local Storage\") | where InitiatingProcessFileName !in~ ("MetaMask.exe","Exodus.exe","Atomic.exe","electrum.exe","Bitcoin.exe","Phantom.exe") | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, FolderPath, FileName, ActionType ``` ### Phishing-link click correlated to endpoint execution `UC_PHISH_LINK` · phase: **delivery** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Phishing-link click that drives endpoint execution within 60s ``` | tstats `summariesonly` earliest(_time) AS click_time from datamodel=Web where Web.action="allowed" by Web.src, Web.user, Web.dest, Web.url | `drop_dm_object_name(Web)` | rename user AS recipient, dest AS clicked_domain, url AS clicked_url | join type=inner recipient [| tstats `summariesonly` count from datamodel=Email.All_Email where All_Email.action="delivered" AND All_Email.url!="-" by All_Email.recipient, All_Email.src_user, All_Email.url, All_Email.subject | `drop_dm_object_name(All_Email)` | rex field=url "https?://(?[^/]+)" | rename recipient AS recipient] | join type=inner src [| tstats `summariesonly` earliest(_time) AS exec_time values(Processes.process) AS exec_cmd, values(Processes.process_name) AS exec_proc from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("chrome.exe","msedge.exe","firefox.exe", "outlook.exe","brave.exe","arc.exe") AND Processes.process_name IN ("powershell.exe","pwsh.exe","cmd.exe","mshta.exe", "rundll32.exe","regsvr32.exe","wscript.exe", "cscript.exe","bitsadmin.exe","certutil.exe", "curl.exe","wget.exe") by Processes.dest, Processes.user | `drop_dm_object_name(Processes)` | rename dest AS src] | eval delta_sec = exec_time - click_time | where delta_sec >= 0 AND delta_sec <= 60 | table click_time, exec_time, delta_sec, recipient, src, src_user, subject, clicked_domain, clicked_url, exec_proc, exec_cmd | sort - click_time ``` **Defender KQL:** ```kql // Phishing-link click that drives endpoint execution within 60s. // Far higher fidelity than "every clicked URL" — most legitimate clicks // never spawn a non-browser child process, so the join eliminates the // 99% of noise that makes a raw click query unactionable. let LookbackDays = 7d; let SuspectClicks = UrlClickEvents | where Timestamp > ago(LookbackDays) | where AccountName !endswith "$" | where ActionType in ("ClickAllowed","ClickedThrough") | join kind=inner ( EmailEvents | where Timestamp > ago(LookbackDays) | where DeliveryAction == "Delivered" | where EmailDirection == "Inbound" | project NetworkMessageId, Subject, SenderFromAddress, SenderFromDomain, RecipientEmailAddress, EmailTimestamp = Timestamp ) on NetworkMessageId | join kind=leftouter ( EmailUrlInfo | project NetworkMessageId, Url, UrlDomain ) on NetworkMessageId, Url | project ClickTime = Timestamp, AccountUpn, IPAddress, Url, UrlDomain, Subject, SenderFromAddress, SenderFromDomain, RecipientEmailAddress, ActionType; // Correlate to a non-browser child process spawned within 60 seconds on // the recipient's device. DeviceProcessEvents | where Timestamp > ago(LookbackDays) | where InitiatingProcessFileName in~ ("chrome.exe","msedge.exe","firefox.exe", "outlook.exe","brave.exe","arc.exe") | where FileName in~ ("powershell.exe","pwsh.exe","cmd.exe","mshta.exe", "rundll32.exe","regsvr32.exe","wscript.exe","cscript.exe", "bitsadmin.exe","certutil.exe","curl.exe","wget.exe") | join kind=inner SuspectClicks on $left.AccountName == $right.AccountUpn | where Timestamp between (ClickTime .. ClickTime + 60s) | project ClickTime, ProcessTime = Timestamp, DelaySec = datetime_diff('second', Timestamp, ClickTime), DeviceName, AccountName, RecipientEmailAddress, SenderFromAddress, Subject, Url, UrlDomain, ActionType, FileName, ProcessCommandLine, InitiatingProcessFileName | order by ClickTime desc ``` ### Email attachment opened from external sender `UC_PHISH_ATTACH` · phase: **delivery** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count from datamodel=Email.All_Email where All_Email.file_name!="-" by All_Email.src_user, All_Email.recipient, All_Email.file_name, All_Email.subject | rename All_Email.recipient as user | join type=inner user [| tstats `summariesonly` count from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("OUTLOOK.EXE","winword.exe","excel.exe","powerpnt.exe") AND Processes.process_name IN ("cmd.exe","powershell.exe","wscript.exe","cscript.exe","mshta.exe","rundll32.exe","regsvr32.exe") by Processes.dest, Processes.user, Processes.parent_process_name, Processes.process_name, Processes.process | rename Processes.user as user] ``` **Defender KQL:** ```kql let LookbackDays = 7d; let MalAttachments = EmailAttachmentInfo | where Timestamp > ago(LookbackDays) | where AccountName !endswith "$" | project NetworkMessageId, RecipientEmailAddress, AttachmentFileName = FileName, AttachmentSHA256 = SHA256; DeviceProcessEvents | where Timestamp > ago(LookbackDays) | where InitiatingProcessFileName in~ ("OUTLOOK.EXE","winword.exe","excel.exe","powerpnt.exe") | where FileName in~ ("cmd.exe","powershell.exe","wscript.exe","cscript.exe", "mshta.exe","rundll32.exe","regsvr32.exe") | join kind=inner MalAttachments on $left.AccountUpn == $right.RecipientEmailAddress | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, AttachmentFileName, AttachmentSHA256 ``` ### Office app spawning script/LOLBin child process `UC_OFFICE_CHILD` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","outlook.exe","onenote.exe","mspub.exe","visio.exe") AND Processes.process_name IN ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","mshta.exe","rundll32.exe","regsvr32.exe","wmic.exe","bitsadmin.exe","certutil.exe") by Processes.dest, Processes.user, Processes.parent_process_name, Processes.process_name, Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where InitiatingProcessFileName in~ ("winword.exe","excel.exe","powerpnt.exe","outlook.exe","onenote.exe","mspub.exe","visio.exe") | where FileName in~ ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","mshta.exe","rundll32.exe","regsvr32.exe","wmic.exe","bitsadmin.exe","certutil.exe") | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine ``` ### OAuth consent / suspicious app grant `UC_OAUTH_ABUSE` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication.Authentication where Authentication.action="success" AND Authentication.signature IN ( "Consent to application", "Add app role assignment grant to user", "Add OAuth2PermissionGrant", "Add delegated permission grant") by Authentication.user, Authentication.app, Authentication.src, Authentication.signature | `drop_dm_object_name(Authentication)` ``` **Defender KQL:** ```kql CloudAppEvents | where Timestamp > ago(7d) | where ActionType in ("Consent to application.","Add OAuth2PermissionGrant.","Add delegated permission grant.") | project Timestamp, AccountObjectId, AccountDisplayName, ActivityType, ActivityObjects, IPAddress, UserAgent ``` ### Trusted vendor binary / installer launching unusual children `UC_SUPPLY_CHAIN` · phase: **exploit** · confidence: **Medium** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("setup.exe","installer.exe","update.exe") AND Processes.process_name IN ("powershell.exe","cmd.exe","rundll32.exe","regsvr32.exe","mshta.exe","wscript.exe","cscript.exe","wmic.exe","bitsadmin.exe") by Processes.dest, Processes.user, Processes.parent_process_name, Processes.process_name, Processes.process | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where InitiatingProcessFileName in~ ("setup.exe","installer.exe","update.exe") | where FileName in~ ("powershell.exe","cmd.exe","rundll32.exe","regsvr32.exe","mshta.exe","wscript.exe","cscript.exe","wmic.exe","bitsadmin.exe") | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine ``` ## Why this matters Severity classified as **HIGH** based on: 12 use case(s) fired, 19 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.