Cyberhaven (phishing-compromised build): Active Safety Warning

What happened

On December 24, 2024 an attacker phished a Cyberhaven employee and published a malicious version (24.10.4) of the company's own Chrome extension, which exfiltrated cookies and authenticated sessions before Google pulled it. Researchers tied it to a wider campaign that hit dozens of other extensions.

What to do now

Anyone who ran the bad build should update to a clean version, then rotate passwords and revoke active sessions for any site they used while it was installed — the extension could read authenticated cookies.

Source

Cyberhaven incident report ↗ — every entry on this tracker is verified against its source before publishing.

← Back to the full list of Removed & Compromised Extensions. Extensions changing their permissions short of removal are on our policy-change alerts.