Five Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts

The discovery of five malicious Chrome extensions underscores a growing trend where threat actors weaponize browser add‑ons to infiltrate enterprise SaaS environments. By masquerading as productivity tools for HR and ERP platforms such as Workday, NetSuite, and SuccessFactors, these extensions gain the trust of privileged users and obtain broad permissions across corporate domains. Once installed, they become a silent conduit for credential harvesting, allowing attackers to bypass traditional network perimeters. This approach is especially effective because many organizations encourage browser‑based access to cloud applications, creating a low‑friction attack surface.

The extensions share a common toolkit that requests cookie, scripting, and declarativeNetRequest permissions for targeted domains. They periodically exfiltrate authentication cookies to a C2 server, encrypt the traffic, and use the same list of 23 security‑related extensions to detect defensive tools. By manipulating the DOM, they erase or redirect administrative pages, effectively disabling incident‑response workflows. The most advanced variant, Software Access, not only steals cookies but also injects them back into the browser, enabling full session hijacking without user interaction. Such capabilities turn a simple browser add‑on into a potent account‑takeover platform.

For security teams, the presence of these extensions highlights the need for strict extension governance and continuous monitoring of browser activity. Organizations should enforce policies that restrict installations to verified stores, regularly audit installed add‑ons, and employ endpoint detection that flags anomalous cookie‑related network traffic. Users must be educated to avoid third‑party download sites, and compromised accounts should undergo immediate password resets and MFA verification. As attackers increasingly exploit the browser supply chain, a proactive stance on extension hygiene becomes a critical layer of defense.