A coordinated campaign of malicious browser add-ons has bypassed Chrome Web Store’s defenses, weaponizing extensions advertised as productivity tools to steal corporate session tokens and attempt full account takeover.
“The extensions work in concert to steal authentication tokens, block incident response capabilities, enable complete account takeover through session hijacking,” researchers wrote in a blog post, revealing a campaign targeted at widely used HR and ERP platforms.
The threat, uncovered by the Socket.dev threat research team, is a multi-vector enterprise intrusion that combines stealthy credential theft with active interference in security controls. Actors behind this cluster published five Chrome extensions that, despite professional branding and seemingly legitimate use cases, execute malicious behavior deep inside enterprise workflows.
Install counts suggest over 2300 users were tricked into deploying these tools before researchers alerted Google’s security teams and filed takedown requests. The extensions target systems like Workday, NetSuite, and SuccessFactors, where a single hijacked session can expose employee records, financial data, and internal workflows.
Disguised productivity tools with malicious codes
Each extension in the cluster posed as a productivity enhancer or security helper for enterprise users. Listings featured polished dashboards and promises of streamlined access to HR or ERP tools. Permissions requested were “standard,” seemingly benign functions such as cookie access or page modification.
Once installed, however, three of the extensions, including DataByCloud Access, Data By Cloud 1, and a variant simply called Software Access, exfiltrated session cookies containing authentication tokens to attacker-controlled infrastructure. These tokens are, in many enterprise systems, enough to authenticate a user without a password. In some cases, those cookies were extracted every 60 seconds to ensure up-to-date credentials.
Compromised sessions can serve as stolen passwords, because sessions have already passed through login screens and multi-factor checks to allow direct access to an account without triggering typical security alerts.
“All five extensions remain under investigation at the time of writing,” the researchers said. “We have submitted takedown requests to Google’s Chrome Web Store security team.” Google did not immediately respond to CSO’s request for comments.
Blocking defenses and hijacking sessions
The campaign went beyond stealing credentials. Two of the extensions, Tool Access 11 and Data By Cloud 2, incorporated DOM manipulation routines that actively blocked access to security and administrative pages within the targeted platforms. This prevented the enterprise admins from reaching screens to change passwords, view sign-on history, or disable compromised accounts, even if they detected suspicious behavior.
The most advanced of the five, Software Access, offered (on top of cookie theft) bidirectional cookie injection where stolen session tokens were reintroduced into a browser controlled by the attacker. Using APIs like “chrome.cookies.set(), this feature implants valid authentication cookies directly and grants threat actors an authenticated session without any further action from unsuspecting users.
This technique effectively bypasses login screens and multi-factor authentication, allowing immediate account takeover.
“While four extensions are published under databycloud1104 and the fifth under different branding, all five share identical infrastructure patterns indicating a single coordinated operation,” the researchers added. Socket advised organizations to strictly audit and limit browser extensions, closely scrutinize permissions requests, and remove add-ons that unnecessarily access cookies or enterprise sites. The blog also recommended monitoring for abnormal session activity and using tools that can detect malicious extension behavior before it reaches users.
No Responses