LatestTrusted by NVIDIA, Amazon and Banks, This Extension Let Any Website Run Code on Your PC

Find out what isspying on you

Search for problematic browser extensions across your fleet.

Our Findings

Read the code, not the manifest

We find problems no one else does because we don't just have a static scanner which looks for known patterns.
We read what the code actually does, every line.

Deobfuscation

Stylish hid behind 4 layers of base64 + AES-256-CBC + a columnar transposition cipher.
We unwrapped all of it.

Re-analysed on every update

Cyberhaven's attackers didn't change permissions, they changed code. We rescan every release, so a trusted extension can't quietly pivot into a stealer.

Novel-attack detection

LLM pipeline catches what no signature has seen: encoded payloads assembled at runtime, weird egress, page leaks.

Instrumented sandbox

An agent drives the extension like a real user, with aged accounts to trigger gated behavior.

Network egress capture

Every outbound request, traced live

We don't miss the 1 in 1000 that will cause you major problems.

Layered defence. Every finding survives cross-examination before it ever reaches you.

Recently flagged by us

Recent findings.

Threat Intelligence Feed

Plug our intel into your SOC.

Every confirmed finding, malware in silent updates and vulnerabilities in trusted extensions, published as machine-readable threat intel your stack can ingest.

Explore the feed

STIX 2.1 native

Indicators, malware, and relationship objects straight from the spec. No proprietary schema to map.

Mapped to MITRE ATT&CK

Every object carries technique and CWE IDs, so findings drop straight into your existing detections.

// One object from the collection
{
"type": "indicator",
"spec_version": "2.1",
"name": "Credential exfiltration via hooked fetch",
"labels": ["malware"],
"x_aibp_severity": "critical",
"x_aibp_extension": "fjnbnpbm…@3.1.2",
"x_mitre_attack": ["T1056", "T1119"]
}

Works with
every popular browser

Chrome
Firefox
Safari
Edge
Opera
Brave
Arc
Vivaldi

The pipeline

From every store to a claim you can audit.

How it works

Chrome Web Store

315K extensions

Edge Add-ons

30K extensions

Safari Extensions

12K extensions

01

Static Analysis

Agents read the bundle before it ever runs. Manifest, code and supply chain.

manifest.json · host_permissions · code-bundle · npm-tree · signing-cert

02

Dynamic Analysis

Detonated in a sandboxed browser. Every call, request and write is traced.

network.trace · dom.access · storage.io · eval.calls · exfil.detect

03

Agentic Verification

Multiple agents cross-check findings and reconcile them into a single claim with cited evidence.

cross-ref · dedupe · evidence-link · severity-score

c-47291·Critical

Exfiltrates all URLs in real time

8M Users

c-47263·High

Trusts main world in cryptographic operations

2M Users

c-47218·Low

Scoped to single host, no telemetry

700k Users

Join the conversation.

Researchers, security teams, banks, government agencies we've quietly saved from a very bad week.

Nang

Nang

CTO, Streamable

At Streamable, we can't afford security incidents and Am I Being Pwned found problematic extensions we had installed.

Centre for Cybersecurity Belgium

Centre for Cybersecurity Belgium

Wall of Fame 2026

Recognised for the responsible disclosure of critical vulnerabilities affecting users in Belgium and across the EU.

@phia

@phia

Phoebe Gates & Sophia Kianni

Am I Being Pwned made Phia more secure.

Integrations

Plug into your fleet.

Three ways to wire up Am I Being Pwned. Use one or all of them.

Browser extension

Invite link or MDM code enrollment. Every extension your team runs, continuously monitored.

MDM integration

Google Admin Console today. Intune, Jamf, and Kandji in development.

Interested?

Book a call