The Attack Surface Hiding in Plain Sight
Every enterprise employee opens a browser dozens of times a day, and almost every one of them has loaded it with extensions they chose themselves. According to the LayerX Enterprise Browser Extension Security Report 2025, 99% of enterprise employees have at least one browser extension installed, and 52% run more than ten. Yet most security teams have zero inventory of what is running inside their users’ browsers.
The numbers behind this blind spot are striking. Fifty-three percent of extensions used in enterprise environments request permissions rated high or critical — meaning they can read cookies, intercept passwords, access browsing history, and modify the content of any webpage the user visits. More than half of extension publishers (54%) are anonymous, identifiable only by a Gmail address, and 79% have published just a single extension, making reputation-based vetting nearly impossible.
From Phishing to Supply Chain Hijack
Attackers have shifted from distributing standalone malicious extensions to hijacking trusted ones through supply chain compromises. The most consequential example came on December 24, 2024, when a phishing email targeting a Cyberhaven developer granted attackers access to publish a poisoned update to the company’s Chrome extension. Because Chrome auto-updates extensions silently, approximately 400,000 users received the malicious version within hours. The tampered code exfiltrated cookies and authenticated sessions from targeted websites — all while the original extension continued to function normally.
Subsequent investigation revealed a broader campaign. At least 36 Chrome extensions were compromised using the same phishing playbook, collectively affecting over 2.6 million users. The attackers targeted extension developers specifically because a single compromised account can push malicious code to every user who has the extension installed — an amplification effect that traditional malware distribution cannot match.
Advertisement
Credential Theft at Scale
Beyond supply chain attacks, purpose-built malicious extensions are increasingly targeting enterprise platforms. In January 2026, security firm Socket discovered five Chrome extensions masquerading as productivity tools for Workday, NetSuite, and SAP SuccessFactors. Installed over 2,300 times, these extensions extracted authentication cookies every 60 seconds, sending them to command-and-control servers that gave attackers persistent access to enterprise HR and ERP systems.
The most sophisticated of the five, called “Software Access,” went further: it used bidirectional cookie injection via Chrome’s `chrome.cookies.set()` API to implant stolen session tokens directly into the attacker’s browser, bypassing multi-factor authentication entirely. Two others actively blocked administrators from accessing password-change and sign-on-history pages, preventing detection while the attack was ongoing.
At a larger scale, the DarkSpectre operation — exposed in December 2025 — revealed a seven-year campaign by a Chinese threat actor that infected 8.8 million browsers across Chrome, Edge, and Firefox through 18 extensions. One campaign, dubbed Zoom Stealer, specifically harvested corporate meeting URLs, embedded passwords, and participant lists — intelligence with direct value for corporate espionage.
The GenAI Extension Problem
A newer dimension of risk comes from the rapid adoption of generative AI browser extensions. The LayerX report found that over 20% of enterprise employees now use at least one GenAI extension, and 58% of these extensions hold high or critical risk permissions. These tools often read the full content of every page the user visits in order to provide contextual assistance — meaning sensitive documents, internal dashboards, and proprietary data are silently funneled through third-party infrastructure.
Combined with the fact that 51% of all enterprise extensions have not been updated in over a year and 26% are sideloaded (installed directly by another application, bypassing store vetting entirely), the result is an attack surface that grows more dangerous the longer it goes unmanaged.
What Enterprises Should Do Now
The path from unmanaged extensions to governed extensions does not require replacing browsers or blocking all add-ons. It requires visibility, policy, and continuous monitoring.
Build a complete extension inventory. Use browser management APIs or enterprise browser tools to enumerate every extension across the organization, flag permissions, and cross-reference against known-malicious extension databases. You cannot secure what you cannot see.
Implement version pinning with delayed updates. Rather than relying on Chrome’s silent auto-update mechanism — which propagated the Cyberhaven attack within hours — pin extension versions and introduce a 48-to-72-hour update delay. This creates a window for the security community to detect and flag compromised updates before they reach your endpoints.
Establish an extension allowlist. Move from a default-allow to a default-deny posture. Only pre-approved extensions with verified publishers and justified permissions should be installable. Pay special attention to GenAI extensions, which frequently require permissions far exceeding their stated function.
Monitor for behavioral anomalies. Extensions that suddenly begin making network calls to unfamiliar domains, accessing cookies outside their declared scope, or modifying page content on enterprise platforms should trigger automated alerts. Supply chain attacks are designed to look normal at the permission level — behavioral detection catches what static analysis misses.
Frequently Asked Questions
Why are browser extensions considered a security blind spot for enterprises?
Browser extensions operate inside the browser with permissions granted at install time, yet they fall outside the visibility of traditional security tools like endpoint detection (EDR), data loss prevention (DLP), and network monitoring. The LayerX 2025 report found that 99% of employees have extensions installed, but most security teams maintain no inventory of them. This creates an unmonitored attack surface where malicious or compromised extensions can exfiltrate data without triggering any alerts.
How did the Cyberhaven supply chain attack work?
On December 24, 2024, attackers sent a phishing email to a Cyberhaven developer that appeared to come from the Chrome Web Store. After gaining the developer’s credentials, they published a poisoned update to Cyberhaven’s legitimate Chrome extension. Chrome’s silent auto-update mechanism pushed the malicious version to approximately 400,000 users within hours. The compromised extension exfiltrated cookies and authenticated sessions while continuing to function normally, making detection extremely difficult.
What can organizations do to reduce browser extension risk without blocking all extensions?
Organizations can take three practical steps: first, build a complete extension inventory using browser management APIs to identify every installed extension and its permissions. Second, implement version pinning with a 48-to-72-hour update delay, creating a buffer against supply chain attacks that exploit auto-updates. Third, switch from default-allow to an extension allowlist policy, where only pre-approved extensions with verified publishers are installable. These measures provide strong protection without eliminating the productivity benefits of legitimate extensions.
Sources & Further Reading
- Majority of Browser Extensions Can Access Sensitive Enterprise Data — The Hacker News
- LayerX Enterprise Browser Extension Security Report 2025 — GlobeNewsWire
- Cyberhaven Supply Chain Attack: Exploiting Browser Extensions — Darktrace
- Five Malicious Chrome Extensions Impersonate Workday and NetSuite — The Hacker News
- DarkSpectre Browser Extension Campaigns Exposed After Impacting 8.8 Million Users — The Hacker News
- Several Chrome Extensions Compromised in Supply Chain Attack — SecurityWeek
- The Hidden Cybersecurity Risk in Your Browser Extensions — Barracuda Networks
