33/69 Monday, January 19, 2026
Cybersecurity firm Socket has identified and warned about five malicious Google Chrome extensions with a combined total of more than 2,300 installations. These extensions masqueraded as productivity and security tools for popular enterprise HR and ERP platforms such as Workday, NetSuite, and SAP SuccessFactors, with the goal of stealing authentication data and taking over corporate accounts. Such access could enable severe follow-on attacks, including data theft and the deployment of ransomware within organizations.
The observed malicious behavior falls into three primary categories:
- Cookie Exfiltration – Session tokens are sent to attacker-controlled command-and-control (C2) servers every 60 seconds, allowing attackers to maintain persistent access.
- Admin Page Blocking – The extensions use DOM manipulation to block access to administrative and security settings pages, including 2FA configuration, account management, and audit logs, hindering detection and incident response.
- Cookie Injection – Session cookies received from the attackers’ servers are injected into the victim’s browser, enabling session hijacking without requiring passwords or one-time passcodes (OTP).
The malicious extensions were published under developer names such as databycloud1104 and Software Access, with examples including Data By Cloud 2 and Tool Access 11. Although these extensions have been removed from the Chrome Web Store following disclosure, users and organizations that previously installed them may still be at risk of data compromise. Affected organizations are advised to notify their security teams, initiate incident response procedures, and immediately reset credentials for any impacted platforms.
