At first glance, it looked harmless.
A Chrome extension promising productivity.
Another claiming to streamline HR workflows.
A browser add-on marketed as “helpful,” “secure,” and “enterprise ready.”
These extensions were quietly turning Chrome into a session-hijacking weapon, giving attackers access to some of the most sensitive systems inside organizations: HR and ERP platforms.
What Actually Happened
Security researchers recently uncovered multiple malicious Chrome extensions hosted on the official Chrome Web Store. These extensions posed as legitimate HR-related tools but were engineered for one purpose: stealing authenticated enterprise sessions.
Once installed, they didn’t need passwords.
They didn’t need MFA prompts.
They didn’t trigger obvious alerts.
They simply waited for users to log in to platforms like Workday, SAP SuccessFactors, or NetSuite and then quietly copied the session cookies that proved the user was already trusted.
From there, attackers could replay those sessions and walk straight into enterprise systems as legitimate employees.
Why HR Became the Target
HR systems are not just administrative tools; they are identity hubs.
They contain:
· Employee personal and financial data
· Payroll and banking details
· Role assignments and approval workflows
· Access paths to other internal systems
Compromise HR, and you don’t just steal data, you reshape trust inside the organization.
Attackers understand this. And instead of attacking the platform directly, they attacked the browser sitting between the employee and the system.
How the Extensions Operated
The attack was subtle, deliberate, and effective through:
Session hijacking: Extensions harvested authentication cookies and sent them to attacker-controlled servers, enabling account takeover without credentials.
Security interference: Some extensions blocked access to password, MFA, or account settings pages, slowing down detection and response.
Legitimate disguise: They requested permissions that didn’t immediately raise red flags and blended into normal browser behavior.
This wasn’t malware screaming for attention.
It was malware pretending to be helpful.
The Bigger Picture
Attackers aren’t breaking into systems.
They’re logging in.
They’re abusing trusted sessions, trusted users, and trusted tools by turning everyday productivity software into an attack surface.
And HR, often less locked down than security or IT systems, is becoming a prime entry point.
What Organizations Should Do Now
This isn’t about banning Chrome. It’s about controlling it.
Audit installed browser extensions across the organization
Enforce strict allow-listing for extensions via enterprisepolicies
Reset sessions and credentials for affected users
Monitor HR and ERP platforms for unusual session behaviour
Most importantly, treat browser extensions as softwaresupply-chain risk, not convenience features.
This is a reminder that in modern enterprises, the quietest attacks don’t kick down doors, they sit patiently in your toolbar.
.png)
.png)