What happened
Malicious Chrome extensions were discovered stealing enterprise HR credentials across Workday, NetSuite, and SAP SuccessFactors platforms. Socket researchers identified five extensions installed more than 2,300 times, which exfiltrated authentication cookies, blocked administrative pages, and hijacked sessions via bidirectional cookie injection. Two extensions, Tool Access 11 and Data By Cloud 2, blocked security administration pages, affecting authentication, 2FA, password management, and account deactivation controls. The fifth extension, Software Access, allowed attackers to inject stolen cookies directly into browsers, enabling immediate session takeover without credentials. Socket reported the extensions to Google, and the extensions were removed from the Chrome Web Store, but users who installed them remain exposed to session hijacking and credential theft.
Who is affected
Organizations using enterprise HR and payroll platforms are directly affected if employees installed the malicious extensions. Indirect exposure includes potential account takeover, operational disruption, and lateral movement into other enterprise systems.
Why CISOs should care
Compromised HR credentials give attackers high-value access to sensitive personal data and administrative controls. Session hijacking bypasses multi-factor authentication, enabling rapid account takeover and potential supply chain or insider-risk exploitation.
3 practical actions
- Block unauthorized Chrome extensions: Enforce enterprise browser policies to allow only vetted extensions.
- Harden HR authentication: Require phishing-resistant MFA and monitor for unusual login activity.
- Audit affected accounts: Review administrative sessions, reset credentials, and investigate potential lateral movement or data exfiltration.