SUP-COMPROMISE-006 Compromised editor or browser extension

A discovered editor or browser extension matches a curated supply-chain incident in the compromised_extension kind. This is the same catalog hit that EXT-001 surfaces during vulkro extension-audit; SUP-COMPROMISE-006 is the rule-id that fires when the same catalog row is reached through a different surface (e.g. an extension manifest encountered during a vulkro scan over a tree that happens to contain one).

Catalogued incidents under this kind:

• INCIDENT-2023-shades-of-purple-vscode (vscode-marketplace: [email protected]), the VS Code Marketplace typosquat-and-hijack campaign that loaded a remote-shell payload from an attacker host.
• INCIDENT-2024-cyberhaven-chrome (chrome-webstore: [email protected]), the December 2024 Cyberhaven Chrome publisher phish that exfiltrated session cookies, identity tokens, and Facebook business credentials.
• INCIDENT-2024-internxt-vpn-chrome (chrome-webstore: [email protected]), the sibling Chrome extension hit by the same campaign that compromised Cyberhaven.

What Vulkro detects

The detector walks every (ecosystem, identifier, version) triple discovered for editor or browser extensions and looks each one up against the curated catalog. A row whose kind is compromised_extension and whose versions[] contains the installed version produces a SUP-COMPROMISE-006 finding.

Severity: the catalog row's severity field (Critical for Cyberhaven, High for Internxt VPN and Shades of Purple). Confidence: High. Evidence signal: compromised-release-exact-version-match, weight 1.0.

Catalog ecosystems covered:

• vscode-marketplace (VS Code, Cursor, Windsurf, VSCodium)
• open-vsx
• chrome-webstore (Chrome, Chromium, Brave, Edge, Arc)
• firefox-amo

Non-compliant install

A Chrome extension manifest at ~/Library/Application Support/Google/Chrome/Default/Extensions/pajkjnmeojmbapicmbpliphjmcekeaac/24.10.4/manifest.json:

{
  "manifest_version": 3,
  "name": "Cyberhaven security extension",
  "version": "24.10.4"
}

The path encodes the catalogued (chrome-webstore, pajkjnmeojmbapicmbpliphjmcekeaac, 24.10.4) triple.

Compliant install

{
  "manifest_version": 3,
  "name": "Cyberhaven security extension",
  "version": "24.10.5"
}

Any version outside the catalogued range is fine.

Remediation

1. Uninstall the catalogued extension version immediately.
2. Reinstall a clean release published before the compromise window or after the publisher's incident-response patch. If the publisher has not issued a clean update, leave the extension uninstalled entirely.
3. Editor and browser extensions execute with the host process's authority. Treat the host as compromised for the window the bad version was active: rotate every credential the editor or browser could observe (git tokens, npm publish tokens, cloud-CLI tokens, OAuth refresh tokens, session cookies for sites the user was signed into, password-manager session tokens).
4. Review the marketplace listing for the vendor's incident response notice and follow any additional guidance.
5. Run vulkro respond against every project on the machine to find every other place the same package or extension version is in use.

See also

• vulkro scan - parent CLI; emits this rule when the same catalog row is hit through dep-scanning rather than the dedicated audit.
• vulkro extension-audit - the dedicated subcommand for editor + browser extensions; EXT-001 is the same catalog hit surfaced through the audit path.
• EXT-001 - the extension-audit-side rule for the same catalog match.
• MCP-006 - the same catalog applied to MCP server pins.
• SUP-COMPROMISE-001 through 005 - sibling rules for the other catalog kinds.

References

• CWE-1357: Reliance on Insufficiently Trustworthy Component
• CWE-506: Embedded Malicious Code
• CWE-829: Inclusion of Functionality from Untrusted Control Sphere
• OWASP A08:2021 Software and Data Integrity Failures