Cyberhaven: 8 New Compromised Extensions Exposed—1.1M Users Affected! Read the Full Blog Now
Home » Spin.AI Blog » SSPM » Browser Extensions » Cyberhaven: Latest Research Reveals 8 Additional Compromised Extensions Affecting 1.1 Million Users
January 16, 2025 | Updated on: February 6, 2025 | Reading time 7 minutes

Cyberhaven: Latest Research Reveals 8 Additional Compromised Extensions Affecting 1.1 Million Users

Author:
Avatar photo

Product Manager

Spin.AI’s latest research has uncovered 8 additional compromised browser extensions, used by 1.1 million users during the time of compromise. This discovery brings the total number of compromised extensions to 40, impacting 3.7 million users in total.

The fallout from the Cyberhaven cyberattack continues to escalate. New findings by Spin.AI reveal the scale of affected users targeted with compromised extensions is even larger than initially thought. The attack is now known to have compromised additional browser extensions, putting 3.7 million users at risk. 

January 28 Update

We processed our database with the remaining IOCs and did not find other extensions included as part of this attack campaign. We continue to monitor the six remaining compromised extensions still available on the marketplace for patches and will update the table in this post accordingly.

Brief Overview of the Cyberhaven Incident

The Cyberhaven cybersecurity incident first became known when its extension developer fell victim to a phishing attempt and consequently, had malicious code injected into its Chrome extension. After investigation by Cyberhaven, Secure Annex, and others, it was uncovered that this attack is part of a broader campaign to target Chrome Extension developers.

Spin.AI’s Exclusive Findings

In response to the Cyberhaven attack, our team of security researchers conducted an extensive investigation into the malicious extension campaign. We processed our database with the Indicators of Compromise (IOCs) published by others and noted the following findings:

  1. No Spin.AI customers affected by phishing attempt: We reviewed the OAuth ID used in the phishing attempt and found no evidence of our customers falling victim to this phishing attempt.
  2. 8 compromised extensions not previously reported: We processed our database using the IOCs and found the sclpfybn[.]com domain in 8 extensions that were not previously reported. These 8 extensions were used by 1.1 million users during the time of compromise.
  3. Signs of this attack campaign starting in 2023: Thanks to our database, which maintains a history of all browser extensions, we found that the earliest the sclpfybn[.]com domain was detected was in September 2023. While many browser extensions were either quickly patched or removed from the Chrome Web Store, some browser extensions were compromised for over 300 days before receiving a patch. 
  4. One extension was compromised earlier than initially reported: One extension (AI Shop Buddy/Amazon Search; epikoohpebngmakjinphfiagogjcnddm) was previously reported to be compromised in v2.7.3. Our database indicates the compromise really began in v2.7.0.

Spin.AI’s Newly Discovered Compromised Extensions

Our internal investigation uncovered an additional eight compromised extensions. These additional extensions affected approximately 1.1 million new users in addition to the original 2.6 million. The findings highlight the growing reach of the Cyberhaven attack. Below are the names and details of these newly identified extensions:

Extension NameIDCompromised VersionDate of CompromisePatched VersionDate of Patch
Hub VPN – Free VPN Proxylneaocagcijjdpkcabeanfpdbmapcjjg1.1.75/26/20241.1.86/6/2024
BitTorrentaahnibhpidkdaeaplfdogejgoajkjgob13.1.0.4, 13.1.0.5, 13.1.0.63/30/202413.1.0.77/15/2024
BrowserSpycenplbjdopjciamjdjiehflkhfjmklhm0.8, 0.9, 0.10, 0.12, 0.139/10/2023N/A – Removed from marketplaceN/A – Removed from marketplace
GPT Logindidhgeamncokiaegffipckhhcpnmlcbl1.1.3 – 1.3.12/19/2024N/A – Removed from marketplaceN/A – Removed from marketplace
ChatGPT Plus – AI chatbot for Googleegokoghkkmcnnemgcaadjhdihpceopkn1.2.9, 1.3.012/12/2023N/A – Removed from marketplaceN/A – Removed from marketplace
Chat GPTfnmihdojmnkclgjpcoonokmkhjpjechg1.5.8 – 1.6.512/25/20231.7.04/2/2024
Web Mark: bookmark/history/clipboard bundlerjdleicahfbehiikjcaocollfhbnigplo3.4, 3.510/22/20233.78/25/2024
Copy and Paste moremjijaapcbpbcppapekipkdhipfcdpidb4.112/16/20234.38/25/2024

Known compromised browser extensions

The table below details the extensions that were first identified as compromised, along with affected versions, date of compromise, current patch status, and date of patch (if applicable). The total number of users from the initially known compromised extensions totaled 2.6 million.

Extension NameIDCompromised VersionsDate of CompromisePatched VersionDate of Patch
VPNCitynnpnnpemnckcfdebeekibpiijlicmpom2.0.112/11/20242.2.21/23/2025
Parrot Talkskkodiihpgodmdankclfibbiphjkfdenh1.16.212/24/20241.16.312/29/2024
Uvoiceoaikpkmjciadfpddlpjjdapglcihgdle1.0.1212/25/20241.0.1312/30/2024
Internxt VPNdpggmcodlahmljkhlmpgpdcffdaoccni1.1.112/24/20241.1.212/26/2024
Bookmark Favicon Changeracmfnomgphggonodopogfbmkneepfgnh4.0012/24/20245.112/29/2024
Castorusmnhffkhmpnefgklngfmlndmkimimbphc4.4012/25/20244.4112/26/2024
Wayin AIcedgndijpacnfbdggppddacngjfdkaca0.0.1112/18/20240.0.121/17/2025
Search Copilot AI Assistant for Chromebbdnohkpnbkdkmnkddobeafboooinpla1.0.17/16/2024N/A – Removed from marketplaceN/A – Removed from marketplace
VidHelper – Video Downloaderegmennebgadmncfjafcemlecimkepcle2.2.712/24/20242.2.91/27/2025
AI Assistant – ChatGPT and Gemini for Chromebibjgkidgpfbblifamdlkdlhgihmfohh0.1.35/30/2024N/A – Removed from marketplaceN/A – Removed from marketplace
TinaMind – The GPT-4o-powered AI Assistant!befflofjcniongenjmbkgkoljhgliihe2.13.0, 2.13.112/14/20242.14.012/20/2024
Bard AI chatpkgciiiancapdlpcbppfkmeaieppikkk1.3.79/4/2024N/A – Removed from marketplaceN/A – Removed from marketplace
Reader Modellimhhconnjiflfimocjggfjdlmlhblm1.5.7, 1.5.812/7/20241.6.21/4/2025
Primus (prev. PADO)oeiomhmbaapihbilkfkhmlajkeegnjhe0.3.18, 0.3.1912/17/20240.3.2012/24/2024
Tackker – online keylogger toolekpkdmohpdnebfedjjfklhpefgpgaaji1.310/5/20231.48/12/2024
AI Shop Buddyepikoohpebngmakjinphfiagogjcnddm2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.510/31/2023Not patched yetNot patched yet
Sort by Oldestmiglaibdlgminlepgeifekifakochlka1.4.51/10/2024Not patched yetNot patched yet
Rewards Search Automatoreanofdhdfbcalhflpbdipkjjkoimeeod1.5.08/25/2024Not patched yetNot patched yet
Earny – Up to 20% Cash Backogbhbgkiojdollpjbhbamafmedkeockb1.8.14/4/2023Not patched yetNot patched yet
ChatGPT Assistant – Smart Searchbgejafhieobnfpjlpcjjggoboebonfcg1.1.12/11/2024N/A – Removed from marketplaceN/A – Removed from marketplace
Keyboard History Recorderigbodamhgjohafcenbcljfegbipdfjpk2.37/28/2024N/A – Removed from marketplacN/A – Removed from marketplac
Email Huntermbindhfolmpijhodmgkloeeppmkhpmhc1.449/16/2024N/A – Removed from marketplaceN/A – Removed from marketplace
Visual Effects for Google Meethodiladlefdpcbemnbbcpclbmknkiaem3.1.3, 3.1.4, 3.1.7, 3.2.36/12/20233.2.41/9/2024
Cyberhaven security extension V3pajkjnmeojmbapicmbpliphjmcekeaac24.10.412/24/202424.10.512/24/2024
GraphQL Network Inspectorndlbedplllcgconngcnfmkadhokfaaln2.22.612/29/20242.22.712/29/2024
GPT 4 Summary with OpenAIepdjhgbipjpbbhoccdeipghoihibnfja1.48/10/2024N/A – Removed from marketplaceN/A – Removed from marketplace
Vidnoz Flex – Video recorder & Video sharecplhlgabfijoiabgkigdafklbhhdkahj1.0.16112/23/20241.0.1651/4/2025
YesCaptcha assistantjiofmdifioeejeilfkpegipdjiopiekl1.1.6112/29/20241.1.621/2/2025
Proxy SwitchyOmega (V3)hihblcmlaaademjlakdpicchbjnnnkbo3.0.212/28/20243.0.31/7/2025
ChatGPT Applbneaaedflankmgmfbmaplggbmjjmbae1.3.8, 1.3.9, 1.4.0, 1.4.1, 1.4.29/2/2024Not patched yetNot patched yet
Web Mirroreaijffijbobmnonfhilihbejadplhddo2.411/12/2023Not patched yetNot patched yet
Hi AIhmiaoahjllhfgebflooeeefeiafpkfde1.0.07/28/2024N/A – Removed from marketplaceN/A – Removed from marketplace

Whether it be individuals who may have downloaded or updated to one of the compromised extensions or organizations who may be impacted in a larger way, there are key takeaways and action items to be aware of.

Individual users and businesses are encouraged to take the following steps as soon as possible:

  1. Verify whether the extension was used during the period it was compromised:  Take an inventory of the browser extensions and its version. If the compromised version was/is installed, uninstall or update them immediately.
  2. Change Facebook password: The data exfiltration activities for this particular attack seemed to center around Facebook business accounts. It is important to make sure Facebook account passwords are reset to minimize the damage of potentially stolen cookies.
  3. Enable Multi-Factor Authentication (MFA): This additional security layer makes it much more difficult to compromise user accounts.

The Cyberhaven attack shows that while third-party browser extensions and SaaS apps can increase productivity, they can also pose a significant security threat. We are committed to helping users stay informed and secure by sharing our security research with the community. To learn more about how our solution can protect your organization from similar threats:

  • Talk to us: Schedule a call with our security specialists to discuss your organization’s risk exposure and ways to mitigate it.

As this story develops, we will continue to provide updates and findings to help you safeguard data and users from new and emerging attacks.

Frequently Asked Questions

Does this apply to Chromium browsers with these extensions?

Yes, the compromised extensions were/are accessible on all Chromium-based browsers. Edge users who have installed these extensions may also be at risk. This blog provides a detailed list of additional compromised extensions, along with their affected versions and the dates of compromise or patching. You can use this information to verify whether you were using any of these extensions during the affected period.

Was this helpful?

Thanks for your feedback!
Avatar photo

Written by

Product Manager at Spin.AI

Will Tran is the Product Manager at Spin.AI, where he guides the product's strategic direction, oversees feature development and ensures that the solution solves his clients’ cybersecurity needs.

Will is a security professional who started his career at Lockheed Martin where he worked on National Security Space programs in business development and product management.

Will holds a BA in Economics and Mathematics from UCSB and an MBA with a specialization in Technology Management and Marketing from UCLA Anderson School of Management.

At Lockheed Martin, Will developed the multi-year strategy campaign and supported the product development of a national security satellite program for the United States Air Force, which resulted in a multi-billion dollar contract.

During business school, Will consulted 2 non-profit organizations as part of a series of national consulting case competitions. He set strategic priorities, optimized business operations, and developed a process to qualify new revenue streams for his non-profit clients. These initiatives resulted in 15-20% increase in annual surplus.

In his spare time, Will can be found at local coffee shops around Los Angeles, traveling to different countries, or hanging out with his cat.

Latest blog posts

Managed Service Provider Best Practices in Data Backup and Disaster Recovery

Managed Service Provider Best Practices in Data Backup and Disaster...

Highlights the importance of a robust data backup and recovery program provided by Managed Service...

Avatar photo

Product Manager

Read more
Exposing the Hidden Risks of Browser Extensions: Cyberhaven’s Breach Unveiled

Exposing the Hidden Risks of Browser Extensions: Cyberhaven’s...

Today’s digital landscape is under attack like never before. Threat actors are looking for the...

Avatar photo

Product Manager

Read more
A College Student’s Guide to Digital Hygiene, Privacy, and Data Backup

A College Student’s Guide to Digital Hygiene, Privacy, and Data B...

If you’re a hard-working, talented, and ambitious college student who wants to achieve your academic...

Avatar photo

CEO and Founder

Read more
TigranViktoriia SirochukDaniel Hegedus

Book a Demo with Spin.AI

Schedule a 30-minute personalized demo with our security engineer

Request a Demo