Coordinated Chrome extensions harvest enterprise login cookies from Workday, NetSuite, and SAP SuccessFactors
Security researchers found five malicious Chrome extensions posing as productivity/security tools for enterprise HR/ERP platforms (Workday, NetSuite, SAP SuccessFactors) that exfiltrate authentication cookies, block security administration pages, and, in one case, inject cookies to hijack active sessions. The campaign, linked by shared infrastructure and targeting patterns, had about 2,300 installations. Extensions were taken down after disclosure; affected users should notify security admins and rotate passwords on the targeted platforms.