Cybersecurity researchers have uncovered five malicious Google Chrome extensions that impersonate popular enterprise platforms such as Workday, NetSuite, and SuccessFactors to hijack user accounts.
According to a report by Socket security researcher Kush Pandya, these extensions work together to steal authentication data, disable security controls, and enable full account takeover through session hijacking.
🧠How These Malicious Extensions Work
The extensions are marketed as productivity or premium access tools, but once installed, they secretly:
- Steal authentication cookies
- Send them to attacker-controlled servers
- Block security and admin pages
- Hijack active login sessions
- Prevent users and admins from responding to incidents
This combination makes detection possible — but prevents remediation.
🧾 List of Identified Malicious Extensions
The five extensions identified are:
- DataByCloud Access
ID: oldhjammhkghhahhhdcifmmlefibciph
Publisher: databycloud1104
Installs: 251
- Tool Access 11
ID: ijapakghdgckgblfgjobhcfglebbkebf
Publisher: databycloud1104
Installs: 101 - DataByCloud 1
ID: mbjjeombjeklkbndcjgmfcdhfbjngcam
Publisher: databycloud1104
Installs: 1,000 - DataByCloud 2
ID: makdmacamkifdldldlelollkkjnoiedg
Publisher: databycloud1104
Installs: 1,000 - Software Access
ID: bmodapcihjhklpogdpblefpepjolaoij
Publisher: Software Access
Installs: 27
All except Software Access have been removed from the Chrome Web Store, but they are still being distributed via third-party sites like Softonic, posing an ongoing risk.
🕵️ Coordinated Attack Campaign
Despite appearing under different publishers, researchers believe this is a single coordinated campaign due to:
- Identical functionality
- Shared infrastructure
- Similar encryption methods
- Common extension behavior patterns
Two of the extensions were originally published as far back as August 18, 2021, indicating a long-running operation.
Cookie Theft and Session Hijacking Explained
- Cookies
- Scripting
- Storage
- Management
- Network request control
Collect authentication cookies from Workday, NetSuite, and SuccessFactors
Transmit them every 60 seconds to attacker servers such as api.databycloud[.]com
Allow attackers to reuse those cookies to log in without passwords
🚫 Blocking Security and Admin Controls
Extensions such as Tool Access 11 and DataByCloud 2 go a step further by blocking access to critical administrative pages using DOM manipulation.They prevent access to:
- Authentication settings
- Password changes
- Account deactivation
- 2FA management
- IP restrictions
- Security audit logs
- Session termination controls
This effectively locks defenders out while attackers retain access.
⚠️ What Users Should Do Immediately
If you have installed any of these extensions:- Remove them immediately
- Reset all related passwords
- Review login activity for unknown IPs or devices
- Enable or reconfigure 2FA
- Avoid downloading extensions from third-party sites
