Malicious Chrome Extensions Target Workday & NetSuite for Account Takeover

Malicious Chrome Extensions Target Workday & NetSuite for Account Takeover

Five malicious Chrome extensions were identified impersonating popular platforms like Workday, NetSuite, and SuccessFactors to steal user credentials and hijack accounts. These extensions, with over 2,500 combined installs, demonstrate a coordinated effort to bypass security measures and gain unauthorized access to sensitive systems.

Why This Matters

Current security models often rely on user awareness and extension vetting, but attackers are increasingly adept at mimicking legitimate software. The potential scale of compromise is significant; a successful account takeover in HR or ERP systems can lead to data breaches, financial loss, and disruption of critical business processes – potentially costing organizations millions in remediation and fines.

Key Insights

• 2,500+ installs: Combined installs across the five malicious extensions as of discovery.
• DOM manipulation: Used to block access to administrative pages within Workday, hindering incident response.
• Cookie exfiltration: Stolen cookies are sent to attacker-controlled servers for session hijacking, leveraging chrome.cookies.set().

Working Example

// Example of cookie injection (simplified from Software Access extension)
async function injectCookies(cookies) {
  for (const cookie of cookies) {
    chrome.cookies.set({
      url: cookie.domain,
      name: cookie.name,
      value: cookie.value,
      expirationDate: cookie.expirationDate
    });
  }
}

Practical Applications

• Enterprise HR Systems: Attackers could gain access to sensitive employee data and manipulate payroll or benefits.
• Pitfall: Overly permissive extension permissions (e.g., access to all cookies on a domain) create a significant attack surface.

References:

• https://thehackernews.com/2026/01/five-malicious-chrome-extensions.html