Enterprise HR credential theft via Chrome extensions: how to protect your Workday and SAP accounts
Five Chrome extensions stole Workday, NetSuite, and SAP session tokens using three attack vectors. Here's how enterprise teams can check and protect HR access.
Your HR system holds some of the most sensitive data your organization has. Payroll records, social security numbers, tax forms, direct deposit bank accounts, benefits information, performance reviews — it's all in there. Enterprise security teams put real controls around these platforms: SSO, MFA, IP whitelisting, audit logs. What they often don't control is what's sitting in the browser on the same machine an HR manager uses every day.
In January 2026, Socket researchers found five Chrome extensions specifically engineered to steal credentials from Workday, NetSuite, and SAP SuccessFactors. These weren't opportunistic, general-purpose infostealers. They were purpose-built for enterprise HR and ERP platforms — with three simultaneous attack vectors and built-in mechanisms to delay or prevent IT teams from discovering the breach.
This is targeted malware. And the browser is the attack surface most enterprise security programs have nearly no visibility into.
Inside the three-layered attack
Socket's researchers identified five extensions sharing nearly identical code structure, API endpoint patterns, and — most tellingly — identical lists of security tool detection. When five separate extensions all include the same capability to evade the same enterprise security scanners, they come from one coordinated operation.
Here's how the attack worked once an extension was installed on a target machine:
Cookie exfiltration. Every 60 seconds, the extensions extracted __session authentication tokens from Workday, NetSuite, and SAP SuccessFactors sessions and transmitted them to attacker-controlled servers. Session tokens are effectively the master keys to these platforms — with one, an attacker can authenticate as the victim without needing a password or passing multifactor authentication. The 60-second interval suggests the goal was real-time session monitoring, not just periodic harvesting.
Admin page blocking. This is the part that makes the campaign particularly dangerous. According to Socket, each extension blocked between 44 and 56 security administration pages inside the targeted HR platforms. If an IT administrator or security team member noticed something suspicious and tried to navigate to session management, audit logs, or admin security settings within Workday or SAP — the extension would intercept that navigation and redirect them away from the investigation tools. The extensions were actively working to prevent their own discovery.
Bidirectional session injection. Beyond cookie theft, the extensions could inject cookies back into the browser — enabling full session hijacking without ever requiring plaintext credentials. An attacker with stolen session tokens could inject them into their own browser and authenticate directly, creating a parallel active session alongside the legitimate user's.
Four of the five extensions were published under the developer account "databycloud1104"; a fifth used "Software Access" branding. As Socket's researchers put it: "The extensions target the same enterprise platforms and share identical security tool detection lists, API endpoint patterns, and code structures, indicating a coordinated operation."
All five extensions have since been removed from the Chrome Web Store.
Why 2,300 installs is the wrong number to fixate on
The combined install count across all five extensions was approximately 2,300. That's small. If this were a consumer campaign, 2,300 installs would barely register.
But this wasn't a consumer campaign. These extensions specifically targeted employees with Workday, NetSuite, and SAP SuccessFactors access — payroll administrators, HR managers, finance teams, system admins. The value of one successful compromise scales with the access level of the person compromised, not the total install count.
A single HR system admin with a stolen session token gives attackers authenticated access to payroll configuration. They can reroute direct deposit accounts, access compensation records for the entire organization, export employee PII at scale, or change banking details before the next payroll run. The potential impact of one correctly-targeted install can far exceed the combined impact of a million consumer browsing history scrapes.
The 60-second exfiltration interval makes this even more acute. An employee who installed one of these extensions on a Tuesday morning could have had their Workday session actively hijacked by Tuesday at noon — before their IT team had any reason to look.
Why browser extensions are such an effective enterprise attack vector
Most enterprise security programs have layered defenses: endpoint detection and response (EDR), antivirus, data loss prevention (DLP), network monitoring. Browser extensions largely fall outside all of them.
Extensions run with elevated browser privileges by design. An extension with the cookies permission can read session tokens for any site on the user's machine. An extension with host permissions for a specific domain can read and modify every page the user views on that domain — including enterprise HR portals. These are the permissions that make legitimate extensions work; they're also the permissions that make malicious extensions so effective.
Enterprise policy management for extensions exists — Chrome's ExtensionInstallAllowlist and Edge's equivalent — but most organizations haven't implemented it. The mental model is still "extensions are browser plugins, not real software," even as extension malware is increasingly purpose-built for enterprise targets.
This campaign is part of a broader shift in how extension malware is deployed. Earlier large-scale attacks like the ShadyPanda campaign went for breadth: 145 extensions, 4.3 million installs, a mix of consumer targets. The newer pattern is precision targeting — fewer installs, specific enterprise platforms, higher per-compromise value.
The HR/ERP credential theft campaign fits this mold exactly. So does the SNOWBELT enterprise sideloading attack I covered earlier, which targeted enterprise environments through Microsoft Teams IT impersonation.
The math has shifted for attackers. Enterprise browser sessions are worth more than consumer sessions by orders of magnitude, and they require far fewer installs to monetize.
How to protect your organization
The specific five extensions are gone from the Chrome Web Store. If you're reading this now, you're not at risk from this exact campaign. But the technique is documented, effective, and will be reused. Here's what to actually do:
Audit extensions on work machines. Open Chrome and go to chrome://extensions. Look for anything you don't recognize — especially extensions with vague descriptions, no recognizable developer names, or permissions that seem out of scope for what the extension claims to do. "databycloud1104" and "Software Access" were the developer accounts in this campaign, but future versions will use different names.
Check which extensions can access your HR domains. In Chrome, navigate to your Workday or SAP SuccessFactors login page and click the puzzle piece icon in the address bar toolbar — it shows which extensions are active on that page and what access they have. Any extension that has permission to run on your HR platform that you didn't deliberately authorize deserves scrutiny.
Look for active session anomalies in HR systems. Most enterprise HR platforms have session logging or active session management built in. If your Workday or NetSuite instance was compromised, there may be concurrent sessions from unusual IP addresses or geographic locations. Pull the session logs for admin accounts specifically. If your organization doesn't currently have visibility into this, the incident is a good reason to build it.
Implement extension allowlisting. This is the durable fix for enterprise IT teams. Chrome's ExtensionInstallAllowlist group policy lets you specify exactly which extensions are permitted to run on managed machines. Anything not on the list is blocked at the browser level. Yes, it creates IT overhead as employees request new tools. But it also makes this entire class of attack — malicious extensions quietly installed on an HR manager's machine — essentially impossible on managed devices.
Alert your security team, even if you're not affected. Even if you personally don't have any of these extensions installed, forward this to your CISO or IT security team. The campaign is neutralized, but the technique is now on record as effective against enterprise HR environments. Security teams should add "HR platform session tokens" to their extension monitoring criteria going forward — and any extensions with broad cookie access on HR platform domains warrant investigation.
What this means for how you think about the browser
The browser is no longer just an application. It's an authenticated context that holds session tokens for nearly every service an employee uses — HR, finance, project management, email, cloud infrastructure. An attacker who compromises the browser has a path to all of it.
The extension ecosystem is the most direct attack surface into that authenticated context. Extensions run persistently, have declared permissions to access cookies and page content, and — until recently — most enterprise security programs had essentially no visibility into what they're doing.
This is starting to change. Chrome 147 shipped enterprise extension auditing with real-time DOM activity logging. Extension security platforms are emerging as a dedicated category. But the baseline practice — knowing what extensions are installed on corporate machines and what permissions they have — is still absent in most organizations.
The five-extension HR campaign is a reminder of how targeted this threat has become. Attackers are building purpose-specific tools against high-value enterprise targets, not spraying broadly and hoping for the best. Your browser extension inventory deserves the same security attention as your endpoint software.
Common questions about extension credential theft
How do Chrome extensions steal Workday or SAP credentials? They don't need your password. With the cookies permission, an extension can read the __session authentication token your browser already holds for Workday, NetSuite, or SAP SuccessFactors and ship it to an attacker's server. That token is a working key to your session — enough to authenticate as you without triggering MFA.
Can a browser extension bypass our SSO and MFA? Effectively, yes — by going around them rather than through them. SSO and MFA gate the login. A stolen session token represents an already-authenticated session, so an attacker who replays it skips the login entirely. That's why session-token theft is so valuable against well-defended enterprise platforms.
How do I stop employees installing risky extensions on work machines? The durable control is extension allowlisting. Chrome's ExtensionInstallAllowlist group policy lets IT specify exactly which extensions may run on managed devices; everything else is blocked at the browser level. It adds some request-and-approve overhead, but it makes this whole attack class near-impossible on managed machines.
Were many people affected by this campaign? The five extensions had only ~2,300 combined installs — tiny by consumer standards. But they were aimed at HR, payroll, and ERP admins, where a single compromise can expose an entire organization's payroll and PII. Install count is the wrong yardstick here; access level is the right one.
How Extenshi helps
Extenshi's catalog lets you look up any Chrome extension's full permission profile, install count, and available security flags. If you're unsure whether an extension on a work machine should have access to your HR platform's domain, checking its declared permissions is a useful first step.
For enterprise security teams doing a broader inventory, scanning your installed extensions surfaces extensions with high-risk permission combinations — including cookie access paired with broad host permissions, which is exactly the profile these five extensions used.
This article is based on publicly available security research and news reporting. Extenshi does not independently verify all claims made by third-party researchers. References to specific companies or products reflect the findings of cited sources and do not constitute accusations of intentional wrongdoing. If you believe any information is inaccurate, please contact us at [email protected].
Related Articles
AI extension incident response: a playbook for enterprise security teams
When malicious AI extensions hit 20K+ enterprise tenants, most teams had no playbook. Here's the incident response plan your org needs before the next campaign.
Zero-permission malware droppers: how to check if any of your extensions can be weaponized
LayerX Labs showed any browser extension — even ones with no permissions — can silently modify your downloads to deliver malware. Here's how to stay safe.
Password manager extensions reviewed: Bitwarden vs 1Password security score, spoofing risks & alternatives
Bitwarden and 1Password extension security review 2026: permissions, privacy scores, and SquareX's polymorphic spoofing attack that Chrome can't patch.