Credential-Stealing Chrome Extensions Target Enterprise HR Platforms: A Silent Threat to Corporate Identity

By Ash K
Credential-Stealing Chrome Extensions Target Enterprise HR Platforms: A Silent Threat to Corporate Identity

A coordinated campaign involving malicious Google Chrome extensions has been uncovered targeting enterprise HR and ERP platforms, exposing how browser-based threats are increasingly being used as an entry point into corporate environments. The extensions, masquerading as productivity or security tools, were designed to silently steal authentication data from platforms such as Workday, NetSuite, and SAP SuccessFactors.

Unlike traditional phishing attacks that rely on fake login pages, this campaign operated directly inside users’ browsers. Once installed, the extensions observed authenticated sessions, harvested cookies, and quietly exfiltrated credentials to remote servers at regular intervals.

What the malicious extensions were designed to do

Researchers identified at least five Chrome extensions linked to the campaign. These extensions requested broad permissions under the guise of improving productivity or enhancing security, granting them visibility into web traffic and access to sensitive browser data.

After installation, the extensions monitored user activity on specific enterprise domains. When a user logged into an HR or ERP system, the extensions captured session cookies and authentication tokens, effectively allowing attackers to hijack active sessions without needing usernames or passwords.

Why HR platforms are a high-value target

Enterprise HR systems hold some of the most sensitive data in an organization. Employee records, payroll information, tax data, benefits details, and internal organizational structures all converge in these platforms.

Access to a single HR account can enable privilege escalation, internal reconnaissance, and downstream fraud. In many organizations, HR platforms are also integrated with identity systems, making them a potential pivot point for broader compromise.

Session hijacking over credential theft

The extensions did not rely solely on stealing passwords. Instead, they focused on session cookies, which are often sufficient to authenticate requests to enterprise platforms.

By exfiltrating these cookies every 60 seconds, attackers could maintain persistent access even if users changed their passwords. This technique bypasses multi-factor authentication protections once a session is established.

Blocking defenses from inside the browser

Some extensions went further by interfering with access to security and account management pages. This prevented affected users from reviewing active sessions, changing credentials, or detecting suspicious activity.

This behavior demonstrates a shift toward active defense evasion at the browser level, where attackers attempt to control not just access, but visibility.

Coordinated infrastructure and distribution

Although the extensions appeared under different publisher names, researchers observed shared code structures, overlapping command-and-control infrastructure, and synchronized update patterns.

This suggests a single operator or tightly coordinated group behind the campaign, distributing variants to increase resilience against takedowns.

Google’s response and user impact

Google has removed the identified extensions from the Chrome Web Store. However, removal from the store does not automatically uninstall extensions from users’ browsers.

Users who installed the extensions remain at risk until they manually remove them and invalidate compromised sessions.

What organizations should do immediately

Enterprises should treat browser extensions as part of their attack surface, not a personal customization detail.

  • Audit installed browser extensions across managed endpoints.
  • Restrict extension installation using enterprise policies and allowlists.
  • Force logout and session invalidation for HR and ERP platforms if exposure is suspected.
  • Review authentication logs for unusual session reuse or access from unfamiliar locations.
  • Educate employees that browser extensions can pose serious security risks.

Why this matters beyond HR systems

This campaign illustrates a broader trend in enterprise compromise. Attackers are increasingly bypassing network defenses by operating entirely within the browser, where trust is implicit and monitoring is limited.

As SaaS platforms become the backbone of corporate operations, browser-level security will play a decisive role in preventing identity-driven breaches.

A warning for identity security in 2026

The lesson from these malicious extensions is simple but uncomfortable. Even well-secured platforms can be undermined if the endpoint presenting credentials is compromised.

In 2026, protecting enterprise identities requires visibility not just into who logs in, but how and from where those sessions are controlled. The browser is no longer just a window to applications. It is an attack surface of its own.

Source credit: Analysis based on reporting by BleepingComputer on credential-stealing Chrome extensions targeting enterprise HR platforms.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.