⚡ Key Takeaways

53% of enterprise browser extensions hold high or critical risk permissions granting access to cookies, passwords, and page content, yet most security teams maintain zero inventory. The Cyberhaven supply chain attack (December 2024) pushed malicious code to 400,000 users via Chrome’s auto-update, while the DarkSpectre campaign infected 8.8 million browsers over seven years.

Bottom Line: Security teams should immediately inventory all browser extensions across endpoints using built-in Chrome Enterprise or Edge management tools, then enforce an extension allowlist with version-pinned updates to close this actively exploited blind spot.

Read Full Analysis ↓

Advertisement

🧭 Decision Radar (Algeria Lens)

Relevance for Algeria
High
Browser extensions are platform-agnostic — any Algerian enterprise using Chrome or Edge faces the same risks as global organizations. With limited local cybersecurity tooling and low awareness of extension-layer threats, the exposure may be disproportionately high.
Infrastructure Ready?
Partial
Algeria’s enterprises largely use standard Chrome and Edge browsers, which support extension management policies via Google Admin Console or Group Policy. However, dedicated browser security platforms (LayerX, Keep Aware, Seraphic) have no local presence or Arabic-language support.
Skills Available?
Limited
Algerian IT teams generally manage endpoint and network security but lack specialized browser-layer security expertise. Extension auditing and behavioral monitoring are not yet standard practice in most Algerian organizations.
Action Timeline
Immediate
Extension-based attacks are actively targeting enterprises worldwide right now. Algerian organizations should audit their extension landscape immediately — this requires no new procurement, only existing browser management capabilities.
Key Stakeholders
CISOs, IT security
Decision Type
Tactical
This article identifies a specific, actionable security gap that can be addressed with existing tools and policy changes rather than strategic transformation.

Quick Take: Algerian enterprises should conduct an immediate browser extension audit across all endpoints, using built-in Chrome Enterprise or Edge management tools to inventory installed extensions and flag high-risk permissions. Prioritize removing sideloaded and unvetted GenAI extensions, and implement an extension allowlist policy. This is a zero-cost security improvement that addresses an active global threat vector.

The Attack Surface Hiding in Plain Sight

Every enterprise employee opens a browser dozens of times a day, and almost every one of them has loaded it with extensions they chose themselves. According to the LayerX Enterprise Browser Extension Security Report 2025, 99% of enterprise employees have at least one browser extension installed, and 52% run more than ten. Yet most security teams have zero inventory of what is running inside their users’ browsers.

The numbers behind this blind spot are striking. Fifty-three percent of extensions used in enterprise environments request permissions rated high or critical — meaning they can read cookies, intercept passwords, access browsing history, and modify the content of any webpage the user visits. More than half of extension publishers (54%) are anonymous, identifiable only by a Gmail address, and 79% have published just a single extension, making reputation-based vetting nearly impossible.

From Phishing to Supply Chain Hijack

Attackers have shifted from distributing standalone malicious extensions to hijacking trusted ones through supply chain compromises. The most consequential example came on December 24, 2024, when a phishing email targeting a Cyberhaven developer granted attackers access to publish a poisoned update to the company’s Chrome extension. Because Chrome auto-updates extensions silently, approximately 400,000 users received the malicious version within hours. The tampered code exfiltrated cookies and authenticated sessions from targeted websites — all while the original extension continued to function normally.

Subsequent investigation revealed a broader campaign. At least 36 Chrome extensions were compromised using the same phishing playbook, collectively affecting over 2.6 million users. The attackers targeted extension developers specifically because a single compromised account can push malicious code to every user who has the extension installed — an amplification effect that traditional malware distribution cannot match.

Advertisement

Credential Theft at Scale

Beyond supply chain attacks, purpose-built malicious extensions are increasingly targeting enterprise platforms. In January 2026, security firm Socket discovered five Chrome extensions masquerading as productivity tools for Workday, NetSuite, and SAP SuccessFactors. Installed over 2,300 times, these extensions extracted authentication cookies every 60 seconds, sending them to command-and-control servers that gave attackers persistent access to enterprise HR and ERP systems.

The most sophisticated of the five, called “Software Access,” went further: it used bidirectional cookie injection via Chrome’s `chrome.cookies.set()` API to implant stolen session tokens directly into the attacker’s browser, bypassing multi-factor authentication entirely. Two others actively blocked administrators from accessing password-change and sign-on-history pages, preventing detection while the attack was ongoing.

At a larger scale, the DarkSpectre operation — exposed in December 2025 — revealed a seven-year campaign by a Chinese threat actor that infected 8.8 million browsers across Chrome, Edge, and Firefox through 18 extensions. One campaign, dubbed Zoom Stealer, specifically harvested corporate meeting URLs, embedded passwords, and participant lists — intelligence with direct value for corporate espionage.

The GenAI Extension Problem

A newer dimension of risk comes from the rapid adoption of generative AI browser extensions. The LayerX report found that over 20% of enterprise employees now use at least one GenAI extension, and 58% of these extensions hold high or critical risk permissions. These tools often read the full content of every page the user visits in order to provide contextual assistance — meaning sensitive documents, internal dashboards, and proprietary data are silently funneled through third-party infrastructure.

Combined with the fact that 51% of all enterprise extensions have not been updated in over a year and 26% are sideloaded (installed directly by another application, bypassing store vetting entirely), the result is an attack surface that grows more dangerous the longer it goes unmanaged.

What Enterprises Should Do Now

The path from unmanaged extensions to governed extensions does not require replacing browsers or blocking all add-ons. It requires visibility, policy, and continuous monitoring.

Build a complete extension inventory. Use browser management APIs or enterprise browser tools to enumerate every extension across the organization, flag permissions, and cross-reference against known-malicious extension databases. You cannot secure what you cannot see.

Implement version pinning with delayed updates. Rather than relying on Chrome’s silent auto-update mechanism — which propagated the Cyberhaven attack within hours — pin extension versions and introduce a 48-to-72-hour update delay. This creates a window for the security community to detect and flag compromised updates before they reach your endpoints.

Establish an extension allowlist. Move from a default-allow to a default-deny posture. Only pre-approved extensions with verified publishers and justified permissions should be installable. Pay special attention to GenAI extensions, which frequently require permissions far exceeding their stated function.

Monitor for behavioral anomalies. Extensions that suddenly begin making network calls to unfamiliar domains, accessing cookies outside their declared scope, or modifying page content on enterprise platforms should trigger automated alerts. Supply chain attacks are designed to look normal at the permission level — behavioral detection catches what static analysis misses.

Follow AlgeriaTech on LinkedIn for professional tech analysis Follow on LinkedIn
Follow @AlgeriaTechNews on X for daily tech insights Follow on X

Advertisement

Frequently Asked Questions

Why are browser extensions considered a security blind spot for enterprises?

Browser extensions operate inside the browser with permissions granted at install time, yet they fall outside the visibility of traditional security tools like endpoint detection (EDR), data loss prevention (DLP), and network monitoring. The LayerX 2025 report found that 99% of employees have extensions installed, but most security teams maintain no inventory of them. This creates an unmonitored attack surface where malicious or compromised extensions can exfiltrate data without triggering any alerts.

How did the Cyberhaven supply chain attack work?

On December 24, 2024, attackers sent a phishing email to a Cyberhaven developer that appeared to come from the Chrome Web Store. After gaining the developer’s credentials, they published a poisoned update to Cyberhaven’s legitimate Chrome extension. Chrome’s silent auto-update mechanism pushed the malicious version to approximately 400,000 users within hours. The compromised extension exfiltrated cookies and authenticated sessions while continuing to function normally, making detection extremely difficult.

What can organizations do to reduce browser extension risk without blocking all extensions?

Organizations can take three practical steps: first, build a complete extension inventory using browser management APIs to identify every installed extension and its permissions. Second, implement version pinning with a 48-to-72-hour update delay, creating a buffer against supply chain attacks that exploit auto-updates. Third, switch from default-allow to an extension allowlist policy, where only pre-approved extensions with verified publishers are installable. These measures provide strong protection without eliminating the productivity benefits of legitimate extensions.

Sources & Further Reading