Malicious Chrome Extensions Target Workday & NetSuite Accounts

January 16, 2026 Faeem BLOGS 0

Researchers have uncovered five malicious Chrome extensions masquerading as HR and ERP tools (Workday, NetSuite, SuccessFactors) to hijack accounts through cookie theft, DOM manipulation, and session hijacking.

Extensions Identified

  • DataByCloud Access – 251 installs
  • Tool Access 11 – 101 installs
  • DataByCloud 1 – 1,000 installs
  • DataByCloud 2 – 1,000 installs
  • Software Access – 27 installs

Four of these have been removed from the Chrome Web Store, but Software Access remains available on third-party sites like Softonic.

Attack Techniques

  • Cookie theft: Authentication cookies exfiltrated every 60 seconds to attacker-controlled domains (api.databycloud[.]com, api.software-access[.]com).
  • DOM manipulation: Blocks access to critical Workday admin/security pages (authentication management, IP range settings, 2FA, audit logs).
  • Session hijacking: Injects stolen cookies directly into attacker browsers, granting full victim session takeover.
  • Developer tool blocking: Prevents inspection/debugging using DisableDevtool library.
  • Encrypted C2 traffic: Makes detection harder.

Extension Behavior

  • DataByCloud Access & DataByCloud 1: Focus on cookie theft.
  • Tool Access 11 & DataByCloud 2: Block 44–56 Workday admin pages, including password changes and account deactivation.
  • Software Access: Most advanced—combines cookie theft with cookie injection for direct session hijacking.

Coordinated Campaign Indicators

  • Shared publisher names (databycloud1104, Software Access).
  • Identical infrastructure patterns.
  • Common list of 23 Chrome security extensions flagged (e.g., EditThisCookie, ModHeader, Redux DevTools).
  • Suggests either a single threat actor or a shared malicious toolkit.

Recommendations

  • Immediate removal: Uninstall any of the listed extensions.
  • Password resets: Change credentials for Workday, NetSuite, SuccessFactors, and linked accounts.
  • Session review: Check for unauthorized logins from unfamiliar IPs/devices.
  • Enterprise monitoring: Watch for blocked admin pages or suspicious cookie activity.
  • Security awareness: Train staff to avoid installing unverified “productivity” extensions.

Takeaway

This campaign demonstrates how malicious browser extensions can bypass enterprise defenses by directly targeting authentication tokens and blocking remediation interfaces. The combination of continuous credential theft + admin blocking + session hijacking makes these extensions especially dangerous for organizations relying on cloud HR/ERP platforms.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.