Fake Chrome Extensions Hijack HR Platforms: Is Your Org at Risk?
Think your Chrome extensions are safe?
One fake “productivity tool” might hijack your HR platform in seconds:
A new campaign used fake Chrome extensions to steal login tokens from Workday, NetSuite, and SAP SuccessFactors.
I’ve seen too many teams trust browser tools without a second thought.
But researchers at Socket found five malicious extensions—installed over 2,300 times—that were secretly:
- Stealing session cookies every 60 seconds
- Blocking access to admin and security settings
- Injecting stolen sessions for full account takeovers
Worse: they looked like legit tools. One promised “faster dashboard access,” another claimed to “protect admin features.”
But what they did was unlock enterprise platforms for attackers—no password or 2FA needed.
If your team used any of these extensions, your sessions were likely compromised.
Here’s what you need to do:
- Report to your security team immediately.
- Remove suspicious extensions.
- Rotate passwords and revoke active sessions on HR/ERP platforms.
Ignore this, and your entire org could be exposed to ransomware and data theft without warning.
Security isn’t just about firewalls anymore.
Sometimes, the threat is already running in your browser.
This campaign is part of a broader pattern. Security researchers recently found 287 Chrome extensions secretly harvesting data from 37 million users — including popular ad blockers and theme customizers. If your team hasn’t audited their browser extensions recently, now is the time.