Malicious Chrome Extensions Attack Enterprise HR & ERP

A sophisticated new threat to enterprise security has surfaced: five coordinated malicious Chrome extensions. These extensions specifically target widely-used human resources and financial platforms, affecting thousands of organizations worldwide.

These extensions operate in concert to steal authentication tokens, disable security controls, and enable complete account takeover through session hijacking.

The campaign affects Workday, NetSuite, and SuccessFactors—critical systems where human resources departments and financial teams manage sensitive employee and company data.

The threat actors publish four extensions under the name databycloud1104, while a fifth extension operates under different branding called softwareaccess but shares identical infrastructure patterns and attack mechanisms.

Combined, these extensions have reached over 2,300 users across enterprise environments.

The coordinated deployment demonstrates careful planning, with each extension serving a specific role in a comprehensive attack strategy designed to overwhelm standard security defenses.

Socket.dev analysts identified these extensions through code analysis that revealed hidden malicious functionality despite misleading marketing claims.

The research team discovered that these extensions market themselves as legitimate productivity tools that streamline access across multiple accounts, when in reality they steal credentials and block security teams from responding to attacks.

The most dangerous capability involves bidirectional cookie injection implemented by the Software Access extension.

This technique enables threat actors to inject stolen authentication cookies directly into their own browsers, granting immediate access to victim accounts without requiring passwords or bypassing multi-factor authentication protections.

Other extensions continuously extract session tokens every 60 seconds, ensuring attackers maintain current credentials even when users log out and back in during normal business operations.

Infection Mechanism and Persistence Through Administrative Blocking

These extensions employ a sophisticated infection mechanism that combines credential theft with targeted administrative interface blocking to prevent incident response.

The attack works through DOM manipulation, where extensions constantly monitor page content and immediately erase security administration pages when users attempt to access them.

Tools Access 11 blocks 44 administrative pages within Workday, while Data By Cloud 2 expands this to 56 pages, including critical functions like password changes, account deactivation, multi-factor authentication device management, and security audit logs.

The blocking mechanism operates through continuous monitoring using MutationObserver functions that check the page every 50 milliseconds.

When administrators attempt password resets or disable compromised accounts, the extensions replace the entire page content with blank space and redirect users to malformed URLs.

This creates a containment failure scenario where security teams can detect unauthorized access but cannot implement standard remediation procedures, forcing organizations to either allow persistent unauthorized access or migrate affected users to entirely new accounts.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.