Security researchers have discovered a stealthy threat inside Google Chrome: fake extensions posing as workplace tools that quietly hijack accounts, steal session data and block security controls. These add-ons impersonate enterprise platforms such as Workday, NetSuite and SAP SuccessFactors, and they operate without obvious signs. The result is attackers gaining access without passwords while defenders struggle to regain control. This guide explains what happened, why it matters and what to do right now.
Several Chrome extensions were marketed as productivity helpers or security aids but were actually designed to take over user accounts. They used polished dashboards and business-focused copy to look legitimate, making them easy to trust. Socket’s Threat Research Team identified five malicious add-ons tied to this campaign, though similar threats could exist under other names. Users often had no visible warning after installation.
Although those specific extensions were removed from the Chrome Web Store, copies and mirrors still show up on third-party download sites. That means the risk hasn’t vanished just because a storefront pulled them down. If you spot an unfamiliar extension that promises workplace access or fast login to enterprise platforms, consider it suspicious. Removing it is the immediate priority.
The attackers relied on a simple social engineering trick: look professional and then abuse the permissions you grant. Descriptions promised faster access to HR systems or additional security controls, and privacy statements claimed no personal data was collected. For someone juggling work logins, the pitch could seem helpful rather than dangerous. That trust is exactly what makes these add-ons effective.
Once installed, the extensions acted quietly in the background to steal session cookies, the tiny tokens that tell a site you’re already signed in. With those tokens in hand, criminals can access accounts without needing passwords or traditional logins. Some of these malicious tools also blocked access to security pages, stopping users from changing passwords or reviewing login history. One variant even allowed stolen sessions to be injected into another browser for instant impersonation.
The technique does more than just grab credentials; it strips away the victim’s ability to react. Security teams might detect odd activity but find normal recovery steps failing because password changes and two-factor resets are blocked. That combination lets attackers linger in accounts longer than they otherwise could. The longer an intruder stays, the greater the chance of data theft or lateral movement inside systems.
If you use Google Chrome, check your extensions right now and remove anything you do not recognize or need. Restart the browser after removal to make sure the extension is fully disabled. If you have Chrome sync enabled, repeat the removal on every synced device before turning sync back on. These quick steps close the most obvious window attackers use to persist.
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.
After uninstalling a suspicious extension, change passwords for any accounts that the extension could have touched and use a different clean device to do it if possible. Switching to a dedicated password manager will help you create unique, strong passwords and securely store them so you do not reuse credentials. Many well-regarded password managers also include breach scanners to see if your email or passwords appeared in known leaks. If a breach shows up, change any reused passwords immediately and secure the affected accounts with fresh, unique credentials.
Review account activity for unfamiliar logins, locations or devices and revoke active sessions you do not recognize. Move critical accounts to two-factor options that do not depend on the browser, like hardware security keys or mobile authenticator apps. Those measures make it harder for attackers who rely on stolen session cookies to keep access. Regularly checking login history gives you an early warning when something is wrong.
Adopt safer extension habits to reduce future risk: only install extensions you truly need and remove ones you no longer use. Avoid tools that promise special enterprise access or ask for broad permissions to cookies, browsing data or account management. Do not download extensions from third-party sites; those versions are often outdated or tampered with. A lean browser is a safer browser.
Good antivirus and endpoint protection can detect malicious extension behavior, block suspicious processes and alert you before serious damage occurs. If your personal data has already been exposed, a professional data removal service can reduce your digital footprint on broker sites, though no service can guarantee complete erasure. Paid protections cost money, but they can be worth it for preventing follow-up scams and identity misuse.
Browser extensions still offer convenience, but convenience should not override caution when those tools ask for powerful permissions. Take a few minutes now to audit what’s installed, remove anything unfamiliar and strengthen your account protections. Small habits repeated regularly shrink your attack surface and make it harder for opportunistic criminals to cause damage.
