{"id":6610,"date":"2026-01-19T11:38:07","date_gmt":"2026-01-19T11:38:07","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6610"},"modified":"2026-01-19T11:38:07","modified_gmt":"2026-01-19T11:38:07","slug":"five-chrome-extensions-caught-hijacking-enterprise-sessions","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6610","title":{"rendered":"Five Chrome extensions caught hijacking enterprise sessions"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>A coordinated campaign of malicious browser add-ons has bypassed Chrome Web Store\u2019s defenses, weaponizing extensions advertised as productivity tools to steal corporate session tokens and attempt full account takeover.<\/p>\n<p>\u201cThe extensions work in concert to steal authentication tokens, block incident response capabilities, enable complete account takeover through session hijacking,\u201d researchers wrote in a blog post, revealing a campaign targeted at widely used HR and ERP platforms.<\/p>\n<p>The threat, uncovered by the Socket.dev threat research team, is a multi-vector enterprise intrusion that combines stealthy credential theft with active interference in security controls. Actors behind this cluster published five Chrome <a href=\"https:\/\/www.csoonline.com\/article\/4099446\/newly-discovered-malicious-extensions-could-be-lurking-in-enterprise-browsers.html\" target=\"_blank\" rel=\"noopener\">extensions<\/a> that, despite professional branding and seemingly legitimate use cases, execute malicious behavior deep inside enterprise workflows.<\/p>\n<p>Install counts suggest over 2300 users were tricked into deploying these tools before researchers alerted Google\u2019s security teams and filed takedown requests. The extensions target systems like Workday, NetSuite, and SuccessFactors, where a single hijacked session can expose employee records, financial data, and internal workflows.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Disguised productivity tools with malicious codes<\/h2>\n<p>Each extension in the cluster posed as a productivity enhancer or security helper for enterprise users. Listings featured polished dashboards and promises of streamlined access to HR or ERP tools. Permissions requested were \u201cstandard,\u201d seemingly benign functions such as cookie access or page modification.<\/p>\n<p>Once installed, however, three of the extensions, including DataByCloud Access, Data By Cloud 1, and a variant simply called Software Access, exfiltrated session cookies containing authentication tokens to attacker-controlled infrastructure. These tokens are, in many enterprise systems, enough to authenticate a user without a password. In some cases, those cookies were extracted every 60 seconds to ensure up-to-date credentials.<\/p>\n<p>Compromised sessions can serve as stolen passwords, because sessions have already passed through login screens and multi-factor checks to allow direct access to an account without triggering typical security alerts.<\/p>\n<p>\u201cAll five extensions remain under investigation at the time of writing,\u201d the researchers <a href=\"https:\/\/socket.dev\/blog\/5-malicious-chrome-extensions-enable-session-hijacking\" target=\"_blank\" rel=\"noopener\">said<\/a>. \u201cWe have submitted takedown requests to Google\u2019s Chrome Web Store security team.\u201d Google did not immediately respond to CSO\u2019s request for comments.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Blocking defenses and hijacking sessions<\/h2>\n<p>The campaign went beyond stealing credentials. Two of the extensions, Tool Access 11 and Data By Cloud 2, incorporated <a href=\"https:\/\/www.csoonline.com\/article\/652273\/severe-azure-hdinsight-flaws-highlight-dangers-of-cross-site-scripting.html\">DOM<\/a> manipulation routines that actively blocked access to security and administrative pages within the targeted platforms. This prevented the enterprise admins from reaching screens to change passwords, view sign-on history, or disable compromised accounts, even if they detected suspicious behavior.<\/p>\n<p>The most advanced of the five, Software Access, offered (on top of cookie theft) bidirectional cookie injection where stolen session tokens were reintroduced into a browser controlled by the attacker. Using APIs like \u201cchrome.cookies.set(), this feature implants valid authentication cookies directly and grants threat actors an authenticated session without any further action from unsuspecting users.<\/p>\n<p>This technique effectively bypasses login screens and multi-factor authentication, allowing immediate account takeover.<\/p>\n<p>\u201cWhile four extensions are published under databycloud1104 and the fifth under different branding, all five share identical infrastructure patterns indicating a single coordinated operation,\u201d the researchers added. Socket advised organizations to strictly audit and limit browser extensions, closely scrutinize permissions requests, and remove add-ons that unnecessarily access cookies or enterprise sites. The blog also recommended monitoring for abnormal session activity and using tools that can detect malicious extension behavior before it reaches users.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>A coordinated campaign of malicious browser add-ons has bypassed Chrome Web Store\u2019s defenses, weaponizing extensions advertised as productivity tools to steal corporate session tokens and attempt full account takeover. \u201cThe extensions work in concert to steal authentication tokens, block incident response capabilities, enable complete account takeover through session hijacking,\u201d researchers wrote in a blog post, [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6610","post","type-post","status-publish","format-standard","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6610"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6610"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6610\/revisions"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6610"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6610"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6610"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}