Spin.AI’s latest research has uncovered 8 additional compromised browser extensions, used by 1.1 million users during the time of compromise. This discovery brings the total number of compromised extensions to 40, impacting 3.7 million users in total.The fallout from the Cyberhaven cyberattack continues to escalate. New findings by Spin.AI reveal the scale of affected users targeted with compromised extensions is even larger than initially thought. The attack is now known to have compromised additional browser extensions, putting 3.7 million users at risk. January 28 UpdateWe processed our database with the remaining IOCs and did not find other extensions included as part of this attack campaign. We continue to monitor the six remaining compromised extensions still available on the marketplace for patches and will update the table in this post accordingly.Brief Overview of the Cyberhaven IncidentThe Cyberhaven cybersecurity incident first became known when its extension developer fell victim to a phishing attempt and consequently, had malicious code injected into its Chrome extension. After investigation by Cyberhaven, Secure Annex, and others, it was uncovered that this attack is part of a broader campaign to target Chrome Extension developers.Spin.AI’s Exclusive FindingsIn response to the Cyberhaven attack, our team of security researchers conducted an extensive investigation into the malicious extension campaign. We processed our database with the Indicators of Compromise (IOCs) published by others and noted the following findings:No Spin.AI customers affected by phishing attempt: We reviewed the OAuth ID used in the phishing attempt and found no evidence of our customers falling victim to this phishing attempt.8 compromised extensions not previously reported: We processed our database using the IOCs and found the sclpfybn[.]com domain in 8 extensions that were not previously reported. These 8 extensions were used by 1.1 million users during the time of compromise.Signs of this attack campaign starting in 2023: Thanks to our database, which maintains a history of all browser extensions, we found that the earliest the sclpfybn[.]com domain was detected was in September 2023. While many browser extensions were either quickly patched or removed from the Chrome Web Store, some browser extensions were compromised for over 300 days before receiving a patch. One extension was compromised earlier than initially reported: One extension (AI Shop Buddy/Amazon Search; epikoohpebngmakjinphfiagogjcnddm) was previously reported to be compromised in v2.7.3. Our database indicates the compromise really began in v2.7.0.Spin.AI’s Newly Discovered Compromised ExtensionsOur internal investigation uncovered an additional eight compromised extensions. These additional extensions affected approximately 1.1 million new users in addition to the original 2.6 million. The findings highlight the growing reach of the Cyberhaven attack. Below are the names and details of these newly identified extensions:Extension NameIDCompromised VersionDate of CompromisePatched VersionDate of PatchHub VPN – Free VPN Proxylneaocagcijjdpkcabeanfpdbmapcjjg1.1.75/26/20241.1.86/6/2024BitTorrentaahnibhpidkdaeaplfdogejgoajkjgob13.1.0.4, 13.1.0.5, 13.1.0.63/30/202413.1.0.77/15/2024BrowserSpycenplbjdopjciamjdjiehflkhfjmklhm0.8, 0.9, 0.10, 0.12, 0.139/10/2023N/A – Removed from marketplaceN/A – Removed from marketplaceGPT Logindidhgeamncokiaegffipckhhcpnmlcbl1.1.3 – 1.3.12/19/2024N/A – Removed from marketplaceN/A – Removed from marketplaceChatGPT Plus – AI chatbot for Googleegokoghkkmcnnemgcaadjhdihpceopkn1.2.9, 1.3.012/12/2023N/A – Removed from marketplaceN/A – Removed from marketplaceChat GPTfnmihdojmnkclgjpcoonokmkhjpjechg1.5.8 – 1.6.512/25/20231.7.04/2/2024Web Mark: bookmark/history/clipboard bundlerjdleicahfbehiikjcaocollfhbnigplo3.4, 3.510/22/20233.78/25/2024Copy and Paste moremjijaapcbpbcppapekipkdhipfcdpidb4.112/16/20234.38/25/2024Known compromised browser extensionsThe table below details the extensions that were first identified as compromised, along with affected versions, date of compromise, current patch status, and date of patch (if applicable). The total number of users from the initially known compromised extensions totaled 2.6 million.Extension NameIDCompromised VersionsDate of CompromisePatched VersionDate of PatchVPNCitynnpnnpemnckcfdebeekibpiijlicmpom2.0.112/11/20242.2.21/23/2025Parrot Talkskkodiihpgodmdankclfibbiphjkfdenh1.16.212/24/20241.16.312/29/2024Uvoiceoaikpkmjciadfpddlpjjdapglcihgdle1.0.1212/25/20241.0.1312/30/2024Internxt VPNdpggmcodlahmljkhlmpgpdcffdaoccni1.1.112/24/20241.1.212/26/2024Bookmark Favicon Changeracmfnomgphggonodopogfbmkneepfgnh4.0012/24/20245.112/29/2024Castorusmnhffkhmpnefgklngfmlndmkimimbphc4.4012/25/20244.4112/26/2024Wayin AIcedgndijpacnfbdggppddacngjfdkaca0.0.1112/18/20240.0.121/17/2025Search Copilot AI Assistant for Chromebbdnohkpnbkdkmnkddobeafboooinpla1.0.17/16/2024N/A – Removed from marketplaceN/A – Removed from marketplaceVidHelper – Video Downloaderegmennebgadmncfjafcemlecimkepcle2.2.712/24/20242.2.91/27/2025AI Assistant – ChatGPT and Gemini for Chromebibjgkidgpfbblifamdlkdlhgihmfohh0.1.35/30/2024N/A – Removed from marketplaceN/A – Removed from marketplaceTinaMind – The GPT-4o-powered AI Assistant!befflofjcniongenjmbkgkoljhgliihe2.13.0, 2.13.112/14/20242.14.012/20/2024Bard AI chatpkgciiiancapdlpcbppfkmeaieppikkk1.3.79/4/2024N/A – Removed from marketplaceN/A – Removed from marketplaceReader Modellimhhconnjiflfimocjggfjdlmlhblm1.5.7, 1.5.812/7/20241.6.21/4/2025Primus (prev. PADO)oeiomhmbaapihbilkfkhmlajkeegnjhe0.3.18, 0.3.1912/17/20240.3.2012/24/2024Tackker – online keylogger toolekpkdmohpdnebfedjjfklhpefgpgaaji1.310/5/20231.48/12/2024AI Shop Buddyepikoohpebngmakjinphfiagogjcnddm2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.5, 2.7.610/31/2023Not patched yetNot patched yetSort by Oldestmiglaibdlgminlepgeifekifakochlka1.4.51/10/2024N/A – Removed from marketplaceN/A – Removed from marketplaceRewards Search Automatoreanofdhdfbcalhflpbdipkjjkoimeeod1.5.08/25/2024Not patched yetNot patched yetEarny – Up to 20% Cash Backogbhbgkiojdollpjbhbamafmedkeockb1.8.14/4/2023N/A – Removed from marketplaceN/A – Removed from marketplaceChatGPT Assistant – Smart Searchbgejafhieobnfpjlpcjjggoboebonfcg1.1.12/11/2024N/A – Removed from marketplaceN/A – Removed from marketplaceKeyboard History Recorderigbodamhgjohafcenbcljfegbipdfjpk2.37/28/20242.52/8/2025Email Huntermbindhfolmpijhodmgkloeeppmkhpmhc1.449/16/2024N/A – Removed from marketplaceN/A – Removed from marketplaceVisual Effects for Google Meethodiladlefdpcbemnbbcpclbmknkiaem3.1.3, 3.1.4, 3.1.7, 3.2.36/12/20233.2.41/9/2024Cyberhaven security extension V3pajkjnmeojmbapicmbpliphjmcekeaac24.10.412/24/202424.10.512/24/2024GraphQL Network Inspectorndlbedplllcgconngcnfmkadhokfaaln2.22.612/29/20242.22.712/29/2024GPT 4 Summary with OpenAIepdjhgbipjpbbhoccdeipghoihibnfja1.48/10/2024N/A – Removed from marketplaceN/A – Removed from marketplaceVidnoz Flex – Video recorder & Video sharecplhlgabfijoiabgkigdafklbhhdkahj1.0.16112/23/20241.0.1651/4/2025YesCaptcha assistantjiofmdifioeejeilfkpegipdjiopiekl1.1.6112/29/20241.1.621/2/2025Proxy SwitchyOmega (V3)hihblcmlaaademjlakdpicchbjnnnkbo3.0.212/28/20243.0.31/7/2025ChatGPT Applbneaaedflankmgmfbmaplggbmjjmbae1.3.8, 1.3.9, 1.4.0, 1.4.1, 1.4.29/2/2024Not patched yetNot patched yetWeb Mirroreaijffijbobmnonfhilihbejadplhddo2.411/12/2023Not patched yetNot patched yetHi AIhmiaoahjllhfgebflooeeefeiafpkfde1.0.07/28/2024N/A – Removed from marketplaceN/A – Removed from marketplaceRecommended actionsWhether it be individuals who may have downloaded or updated to one of the compromised extensions or organizations who may be impacted in a larger way, there are key takeaways and action items to be aware of.Individual users and businesses are encouraged to take the following steps as soon as possible:Verify whether the extension was used during the period it was compromised: Take an inventory of the browser extensions and its version. If the compromised version was/is installed, uninstall or update them immediately.Change Facebook password: The data exfiltration activities for this particular attack seemed to center around Facebook business accounts. It is important to make sure Facebook account passwords are reset to minimize the damage of potentially stolen cookies.Enable Multi-Factor Authentication (MFA): This additional security layer makes it much more difficult to compromise user accounts.The Cyberhaven attack shows that while third-party browser extensions and SaaS apps can increase productivity, they can also pose a significant security threat. We are committed to helping users stay informed and secure by sharing our security research with the community. To learn more about how our solution can protect your organization from similar threats:Talk to us: Schedule a call with our security specialists to discuss your organization’s risk exposure and ways to mitigate it.As this story develops, we will continue to provide updates and findings to help you safeguard data and users from new and emerging attacks.Frequently Asked QuestionsDoes this apply to Chromium browsers with these extensions?Yes, the compromised extensions were/are accessible on all Chromium-based browsers. Edge users who have installed these extensions may also be at risk. This blog provides a detailed list of additional compromised extensions, along with their affected versions and the dates of compromise or patching. You can use this information to verify whether you were using any of these extensions during the affected period. Share this article Share this post on Linkedin Share this post on X Share this post on Facebook Share this post on Reddit Was this helpful? Yes No Submit Cancel Thanks for your feedback!