high oauth phishing chrome

Cyberhaven / GraphQL Network Inspector

OAuth-phishing of extension developers led to malicious updates. GraphQL Network Inspector v2.22.6 injected credential/session-stealing JS. The only Chrome-extension incident with published file hashes.

Disclosed December 25, 2024

Status remediated

Overview

A targeted OAuth-phishing wave against Chrome extension developers (disclosed ~Dec 2024) pushed malicious updates. GraphQL Network Inspector v2.22.6 injected two scripts that harvested OpenAI API keys, session tokens, and Facebook Business credentials.

IOC note

Slightly predates the June 2025–2026 window but included for its IOCs: the two injected JS files are the only published malicious-extension SHA256 hashes in the dataset.

Affected extensions (1)

Name	Store	ID	Malicious version	Archived
GraphQL Network Inspector	chrome	unknown-graphql-network-inspector	2.22.6	no

Indicators of compromise (2)

sha256	b0827dc54349b10098a7370ada4ea44ba668b264ccca2db5676be1c32e6cc154		background.js
sha256	d303047205dabec8e2d34431e920ebe3478ca80a18f57bf454da094aca0e10aa		context_responder.js

Sources

https://blog.sekoia.io/targeted-supply-chain-attack-against-chrome-browser-extensions/