Shadow IT Battlefield: The CyberHaven Breach and Browser Extension Security
Rohit Bansal, Zach Pritchard
BSidesSF 2025 — Here Be Dragons · Day 2 · Main
The December 2024 CyberHaven breach — in which attackers phished a developer's Google credentials, abused OAuth to upload a malicious Chrome extension, and compromised a data-loss prevention tool used by enterprise customers — was not an isolated incident. It was part of a campaign that hit more than 30 extensions. Rohit Bansal and Zach Pritchard from Grammarly describe how their own team was targeted, how existing preventive controls stopped the attack before it landed, and what it took to build a mature browser extension and OAuth governance program from scratch. ---
AI review
Grammarly survived the December 2024 Chrome extension supply chain campaign because they'd already built the controls — allowlisted OAuth apps, allowlisted extensions — six months before it landed. Bansal and Pritchard then go further with Chrome Watch, a Tree-Sitter-based JavaScript taint-flow analysis system that flips the detection posture from reactive to proactive. Rare to see a talk where the preventive controls visibly saved the presenter's organization from an active campaign.