Malicious Chrome Extensions Steal Credentials From Enterprise HR Platforms
Jan 20, 2026
A coordinated campaign involving malicious Google Chrome extensions has been discovered targeting enterprise human resources (HR) and enterprise resource planning (ERP) platforms. These extensions masquerade as legitimate productivity or security tools for widely-used services such as Workday, NetSuite, and SAP SuccessFactors, but in reality are engineered to steal authentication tokens, block critical security pages, and enable full session hijacking on compromised enterprise accounts.
The threat was uncovered by cybersecurity researchers at Socket, who identified five distinct malicious Chrome extensions that share identical infrastructure, code patterns, and targeted API endpoints—despite being published under different developer names including databycloud1104 and Software Access. These extensions have collectively been installed more than 2,300 times from the official Chrome Web Store, exposing organizations to credential theft and potential downstream attacks like data exfiltration or ransomware deployment.
Threat Breakdown
Extension Name / Publisher | Approx. Installs | Malicious Capabilities |
|---|---|---|
Data By Cloud 2 (databycloud1104) | ~1,000 | Cookie exfiltration, blocks security admin pages |
Tool Access 11 (databycloud1104) | ~Several hundred | Blocks admin pages, DOM manipulation |
Other databycloud1104 extensions | — | Authentication token theft |
Software Access | — | Bidirectional cookie injection (session hijack) |
How the Attack Works
Social Engineering & Distribution
The extensions were marketed as useful enterprise add-ons, claiming to enhance productivity, streamline workflows, or improve security controls for HR/ERP administrators. Examples include dashboards for bulk account management or tools purportedly designed to limit access to sensitive features under the pretext of security.
None of the extensions disclosed their malicious behavior in their listings, nor did their privacy policies mention user data collection. Permissions requested looked consistent with enterprise integrations, helping them evade suspicion.
Cookie Theft & Session Hijacking
By continuously extracting authentication cookies named "__session", the extensions captured active session tokens without inputting credentials. These tokens were sent to remote attacker-controlled command-and-control (C2) servers every 60 seconds, enabling persistent unauthorized access—even after users logged out and back in.
One extension (Software Access) went further by implementing bidirectional cookie injection, receiving stolen cookies from the attacker’s server and setting them in the victim’s browser. This allowed attackers to hijack sessions without needing usernames, passwords, or multi-factor authentication codes.
Blocking Incident Response
Two extensions—Tool Access 11 and Data By Cloud 2—used DOM manipulation to block access to critical security and incident response pages within platforms like Workday:
Tool Access 11 interfered with access to 44 administrative pages, including authentication policies and session controls.
Data By Cloud 2 expanded this to 56 pages, adding password and 2FA device management, security audit logs, and more.
Blocking such pages could delay or prevent legitimate administrators from responding effectively to breaches.
Impact & Risk
Although installed relatively few times compared to broader malware campaigns, the impact of enterprise credential theft can be significant:
Unauthorized access to HR/ERP systems
Sensitive employee and financial data exposure
Potential for lateral movement and ransomware deployment
Interference with incident response workflows
Enterprise credentials are high-value targets; compromised sessions may lead to far more severe breaches across corporate environments.
Mitigation & Response
Socket reported the malicious extensions to Google, and they have been removed from the Chrome Web Store at the time of publishing.
If your organization may have installed any of these extensions, we recommend:
Immediately uninstalling the suspicious extensions from all affected browsers.
Notifying security teams and initiating incident response procedures.
Rotating credentials and resetting passwords for impacted platforms.
Conducting browser extension audits and enforcing stricter policies around approved extensions.
Staying Secure
Attackers increasingly leverage seemingly legitimate applications to gain a foothold within enterprise environments. Browser extension supply chain threats highlight the need for vigilant software vetting, user education, and robust endpoint security practices.
By understanding these tactics and implementing proactive controls, organizations can significantly reduce the risk posed by malicious browser add-ons.
Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.
