Cybersecurity researchers have uncovered a coordinated campaign involving malicious Google Chrome extensions that silently hijack user accounts by masquerading as legitimate workplace and productivity tools. The fake extensions, which impersonate widely used human resources and enterprise platforms, have been found stealing login data while actively disabling security features designed to protect users.
According to findings by threat researchers, the malicious add-ons present themselves as tools linked to popular corporate platforms such as payroll, human resources and business management systems. Once installed, they operate without visible signs of compromise, allowing attackers to take control of accounts without requiring usernames or passwords.
Security analysts said the campaign relied on professionally designed extensions with credible names, polished interfaces and business-focused descriptions. Privacy policies associated with the add-ons often claimed that no personal data was collected, making them appear trustworthy to employees and small business users who routinely interact with enterprise software.
Researchers identified at least five Chrome extensions associated with the campaign. While marketed as productivity or access-management tools, they were engineered specifically to hijack user sessions and maintain long-term control over accounts. The extensions were initially distributed through the Chrome Web Store before being taken down following security disclosures.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
Google confirmed that the identified extensions are no longer available on its official marketplace. However, cybersecurity experts warned that some versions continue to circulate on third-party software download websites, posing an ongoing risk to users who install extensions outside official channels.
The malicious extensions work by stealing session cookies, small data files that allow websites to recognise logged-in users. By capturing these cookies, attackers can access accounts without triggering password prompts or multi-factor authentication checks. In some cases, the extensions also blocked access to account security pages, preventing victims from changing passwords, reviewing login history or disabling compromised sessions.
Researchers noted that one of the extensions allowed stolen login sessions to be injected directly into another browser, enabling attackers to log in as the victim almost instantly. This technique effectively bypasses standard security controls and makes detection significantly more difficult.
Cybersecurity teams tracking the activity said the threat extends beyond simple credential theft. By restricting access to security settings, the attackers reduce the victim’s ability to respond, allowing unauthorised access to persist for extended periods. Even when unusual activity is detected, normal remediation steps may fail.
Experts said the attack highlights a growing weakness in browser ecosystems, where extensions with broad permissions can exert deep control over user activity. While initial vetting processes exist, malicious functionality can be concealed within otherwise legitimate-looking tools, particularly when updates receive limited scrutiny.
Users have been advised to immediately review all installed Chrome extensions and remove any unfamiliar add-ons, especially those claiming to provide access to HR systems, enterprise platforms or internal business tools. Security professionals also recommend restarting browsers after removal and disabling browser synchronisation until all linked devices have been checked.
Following removal, affected users should change passwords for all accounts accessed while the extension was installed, ideally from a different browser or device. Monitoring account activity for unfamiliar logins, locations or devices is also strongly advised.
Industry experts stressed that browser hygiene is becoming a critical component of cybersecurity, particularly as more corporate activity shifts to cloud-based platforms accessed through web browsers. Limiting extensions, carefully reviewing permission requests and avoiding downloads from unofficial sources were cited as essential precautions.
The incident serves as a reminder that convenience-driven tools can introduce significant risk if not properly vetted. As browser-based attacks grow more subtle and persistent, cybersecurity analysts warn that users and organisations alike must treat extensions with the same caution as full-scale software installations.
About the author – Ayesha Aayat is a law student and contributor covering cybercrime, online frauds, and digital safety concerns. Her writing aims to raise awareness about evolving cyber threats and legal responses.
