Security researchers have identified five malicious Google Chrome browser extensions that were designed to impersonate widely used enterprise platforms Workday and NetSuite, raising concerns about the growing abuse of trusted business software brands for cybercrime. The extensions were created to appear legitimate and were distributed through channels that made them look like productivity or authentication tools linked to these platforms. Once installed, they enabled threat actors to hijack user accounts by harvesting login credentials and session data, potentially exposing sensitive corporate and personal information. The discovery highlights how browser extensions continue to be exploited as an effective entry point for digital fraud, particularly in environments where cloud based enterprise services are deeply embedded in daily operations.
The malicious extensions relied on visual branding and naming conventions closely resembling genuine Workday and NetSuite tools, increasing the likelihood that users would trust and install them without suspicion. After installation, the extensions requested permissions that allowed them to read browser activity, intercept login sessions and monitor interactions with enterprise portals. This access enabled the operators behind the campaign to capture usernames, passwords and authentication tokens as users logged into legitimate Workday or NetSuite environments. In some cases, the extensions were also capable of modifying web content in real time, allowing attackers to silently redirect authentication flows or inject malicious scripts that further expanded control over compromised accounts. Because these platforms are commonly used for payroll, human resources, finance and enterprise planning, successful account takeover could provide access to highly sensitive organizational data.
Investigators noted that the extensions were engineered to blend into normal browser behavior, reducing the chances of detection by users or automated security tools. By functioning only when a victim accessed specific enterprise domains, the malicious activity remained dormant for much of the time, helping the extensions avoid scrutiny. This selective activation also meant that many victims were unaware their accounts had been compromised until unauthorized activity was detected. Once access was obtained, attackers could potentially move laterally within connected enterprise systems, misuse stored data, or exploit the accounts for further phishing and fraud attempts. Following disclosure, the malicious extensions were sacked from the Chrome Web Store, and affected listings were taken down to prevent further downloads.
The incident underscores the broader risk posed by malicious browser extensions in corporate and remote work environments, where employees often rely on add ons to streamline workflows. Even a small number of compromised extensions can have an outsized impact when they target platforms as widely adopted as Workday and NetSuite. Security teams are being urged to review installed browser extensions across their organizations, limit extension permissions to only what is strictly necessary and enforce policies that restrict installation to vetted tools. Users are also advised to verify publishers, scrutinize permission requests and remain cautious of extensions claiming official integration with enterprise services unless confirmed through trusted channels. The exposure of these fake extensions serves as a reminder that browser based threats remain an active and evolving component of the cybercrime ecosystem, particularly as attackers continue to exploit trust in familiar digital brands.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
