Five malicious Chrome extensions targeting enterprise HR and ERP platforms were discovered on the Chrome Web Store. The extensions, installed more than 2,300 times, stole authentication credentials from Workday, NetSuite, and SAP SuccessFactors users while impersonating productivity and security tools.
Cybersecurity firm Socket identified the campaign and reported the extensions to Google. All five have been removed. The extensions shared identical infrastructure, code patterns, and targeting despite appearing as separate publishers. Four were published under the developer name databycloud1104. The fifth used the name Software Access.
The extensions used three attack methods. First, they continuously extracted authentication cookies named "__session" containing active login tokens for the targeted platforms. These tokens were exfiltrated to remote command-and-control servers every 60 seconds, allowing attackers to maintain access even when users logged out and back in.
Second, two extensions blocked access to security and incident response pages within Workday. Tool Access 11 targeted 44 administrative pages including authentication policies, security proxy configuration, IP range management, and session controls. Data By Cloud 2 expanded this to 56 pages by adding password management, account deactivation, 2FA device controls, and security audit logs. The extensions either erased content on these pages or redirected administrators away from management interfaces.
Third, the Software Access extension implemented bidirectional cookie manipulation. In addition to stealing session tokens, it could receive stolen cookies from the attacker's server and inject them directly into browsers. This enabled immediate account takeover across targeted enterprise platforms without entering usernames, passwords, or multi-factor authentication codes.
The extensions marketed themselves as legitimate tools for enterprise users. Data By Cloud 2, installed 1,000 times, promoted itself as a dashboard offering bulk management tools and faster access for users managing multiple enterprise accounts. Tool Access 11 positioned itself as a security-focused add-on that would restrict access to sensitive administrative features to prevent account compromise. Other extensions used similar language about providing access to tools and services.
None of the extensions disclosed cookie extraction, credential exfiltration, or the blocking of security administration pages in their descriptions. The privacy policies did not mention that user data would be collected. The requested permissions appeared consistent with legitimate enterprise integrations.
Socket reported the extensions to Google. At the time of publication, they had been removed from the Chrome Web Store. Anyone who installed these extensions should report them to their security administrators and change their passwords on the targeted platforms. The theft of enterprise credentials from 2,300 users could fuel large-scale ransomware and data theft attacks if the stolen tokens are not invalidated.
Blackout VPN exists because privacy is a right. Your first name is too much information for us.
Keep learning
FAQ
Which Chrome extensions were stealing credentials?
Five extensions targeting Workday, NetSuite, and SAP SuccessFactors. Data By Cloud 2 had 1,000 installs. Tool Access 11 and three others were published under databycloud1104. The fifth was Software Access. All have been removed from the Chrome Web Store.
How did the extensions steal credentials?
They extracted "__session" cookies containing active login tokens every 60 seconds and sent them to remote servers. The Software Access extension could also inject stolen cookies into browsers, enabling account takeover without passwords or 2FA.
What did the extensions block?
Tool Access 11 blocked 44 administrative pages in Workday including authentication policies and session controls. Data By Cloud 2 blocked 56 pages including password management and security audit logs. This prevented administrators from responding to security incidents.
Were the extensions disclosed as malicious?
No. They marketed themselves as productivity and security tools for enterprise platforms. None disclosed cookie extraction or credential theft. Their privacy policies did not mention data collection. The requested permissions appeared consistent with legitimate enterprise integrations.
What should users do if they installed these extensions?
Report the installation to security administrators immediately. Change passwords on Workday, NetSuite, and SAP SuccessFactors. Security teams should investigate potential account compromises and invalidate any stolen session tokens.