Security researchers have uncovered a coordinated campaign of malicious Google Chrome browser extensions that were publicly available in the Chrome Web Store and disguised as legitimate productivity or security tools. These extensions specifically targeted widely used enterprise human resources (HR) and enterprise resource planning (ERP) platforms such as Workday, NetSuite, and SAP SuccessFactors, tricking users into installing them and then quietly stealing authentication credentials and session tokens. Once installed, the extensions performed a range of harmful actions including siphoning cookies tied to login sessions to remote attackers, blocking access to administrative security pages so legitimate incident response is obstructed, and even injecting stolen authentication tokens back into browsers to facilitate account hijack without needing usernames, passwords, or multi-factor codes. The campaign affected over 2,300 installations before removal, and though the malicious add-ons were taken down from the official Chrome Web Store, risks remain if users installed them through third-party sources. Security experts warn that this incident underscores persistent weaknesses in browser extension vetting and enterprise endpoint security practices.
Sources:
https://www.bleepingcomputer.com/news/security/credential-stealing-chrome-extensions-target-enterprise-hr-platforms/
https://www.scworld.com/news/workday-netsuite-and-successfactors-sessions-targeted-by-malicious-chrome-extensions
https://www.thehackernews.com/2026/01/five-malicious-chrome-extensions.html
Key Takeaways
• A suite of five malicious Chrome extensions masqueraded as helpful enterprise tools to steal HR/ERP platform credentials and session cookies.
• These extensions could block security admin pages and facilitate full session hijacking, bypassing even multi-factor authentication.
• The operation highlights ongoing enforcement and extension-vetting gaps in browser extension ecosystems that threat actors exploit.
In-Depth
In the latest sign that threat actors are finding new ways to exploit trusted software layers, cybersecurity researchers have disclosed a coordinated campaign of malicious Chrome extensions that targeted enterprise human resources (HR) and enterprise resource planning (ERP) systems. These extensions, which were publicly available through Google’s Chrome Web Store, posed as productivity enhancers and security tools to users of enterprise applications such as Workday, NetSuite, and SAP SuccessFactors. Once installed, they quietly conducted credential theft and session hijacking operations that could give attackers unfettered access to corporate systems.
Researchers first identified the malicious extensions through analysis conducted by Socket’s Threat Research Team and others, noting that although the extensions appeared to offer value-added services for HR and ERP users, they in fact contained code engineered to steal authentication cookies, interfere with security processes, and hand over control of authenticated sessions to remote attackers. These session cookies — the tokens that allow authenticated access — were exfiltrated to attacker-controlled infrastructure on a frequent, automated cadence, permitting attackers to maintain control even if a user logged out or attempted to reauthenticate. Moreover, some of the extensions were found to block access to key administrative pages within affected platforms, effectively shut-ting out legitimate security teams from their own systems during an incident.
The extensions disguised themselves under various names and developer identities, making them difficult to detect with superficial scrutiny. Collectively they garnered more than 2,300 installs before Google removed them from the Web Store, but the threat persists: malicious extension code often remains in circulation on third-party download sites or through offline distribution. Enterprises that rely on SaaS platforms such as Workday or NetSuite for mission-critical HR and financial functions face a heightened risk when their employees install browser extensions that have broad permissions.
This incident is a stark reminder that browser extensions, despite their utility, are an inherently risky attack surface. Many enterprises treat browser extensions as benign components of everyday workflows, but these plugins run with the same privileges as the browser itself and can access sensitive data across domains when granted the necessary permissions. This attack chain — starting with social engineering and ending in enterprise account takeover — illustrates the ease with which browser trust can be abused and why strict governance, user education, and technical controls are necessary.
Enterprise security teams should be conducting rigorous inventories of permitted extensions, enforcing policies that restrict installation to vetted add-ons, and applying endpoint protection measures that can detect anomalous extension activities. For users, the lesson is equally sobering: just because an extension is available from an official store does not guarantee that it is safe — threat actors have repeatedly found ways to bypass vetting mechanisms. Companies should consider deploying hardened browser environments with extension whitelisting and integrate multi-factor authentication and continuous session monitoring as essential parts of their cybersecurity posture.
The broader implications are clear: as cloud adoption grows and more corporate access happens through web browsers, attackers will continue to evolve their tactics to exploit the browser as a trusted platform. Organizations must adapt by strengthening extension governance and reinforcing endpoint security practices to mitigate these evolving threats.