Chrome Extensions Target Workday and NetSuite for Session Theft

Socket security researchers discovered five malicious Chrome extensions designed to target enterprise HR and ERP platforms including Workday, NetSuite, and SuccessFactors. The extensions work together to steal authentication tokens, block access to security administration panels, and enable complete account takeover through session hijacking.

Four of the five extensions have been removed from the Chrome Web Store, but they remain available on third-party software download sites like Softonic.

The Malicious Extensions

The campaign used coordinated extensions published under related accounts:

Extension Name	Extension ID	Users
DataByCloud Access	oldhjammhkghhahhhdcifmmlefibciph	251
Tool Access 11	ijapakghdgckgblfgjobhcfglebbkebf	101
DataByCloud 1	mbjjeombjeklkbndcjgmfcdhfbjngcam	1,000
DataByCloud 2	makdmacamkifdldldlelollkkjnoiedg	1,000
Software Access	bmodapcihjhklpogdpblefpepjolaoij	27

Four extensions were published under the name "databycloud1104," while Software Access operated under "softwareaccess" but shared identical infrastructure patterns. Combined, these extensions reached over 2,300 users—likely enterprise employees managing HR or financial systems.

How the Attack Works

The extensions deploy three coordinated attack mechanisms:

Cookie Exfiltration: Once installed, the extensions request permissions for cookies, management, scripting, storage, and declarativeNetRequest across Workday, NetSuite, and SuccessFactors domains. They then exfiltrate authentication cookies to attacker-controlled servers every 60 seconds.

Administrative Panel Blocking: Tool Access 11 prevents access to 44 administrative pages within Workday by erasing page content and redirecting to malformed URLs. DataByCloud 2 expands this blocking to 56 pages, adding password changes, account deactivation, 2FA device management, and security audit log access to the blocklist.

Session Hijacking: The most sophisticated variant receives stolen cookies and injects them into the attacker's browser, enabling direct session takeover. Victims remain logged in on their end while attackers simultaneously access their accounts.

Infrastructure and Detection Evasion

The extensions communicate with command-and-control servers at api.databycloud[.]com and api.software-access[.]com. They also monitor for the presence of 23 security-focused Chrome extensions including EditThisCookie, Cookie-Editor, ModHeader, and Redux DevTools—likely to identify targets who might investigate suspicious behavior.

The extensions use the DisableDevtool library to prevent inspection through Chrome's developer tools, making analysis more difficult for security researchers or suspicious users.

Why Target Enterprise HR Platforms?

Workday, NetSuite, and SuccessFactors handle sensitive employee and financial data. Compromised accounts could give attackers access to:

• Employee personal information including SSNs and banking details
• Payroll systems for fraudulent payments or modifications
• Organizational data including reporting structures and salaries
• Financial records and procurement systems

Session hijacking also bypasses many authentication controls. Attackers who steal valid session cookies don't need to crack passwords or bypass MFA—they inherit an already-authenticated session.

This attack differs from the ChatGPT-stealing extensions we covered recently. Those targeted consumer AI tools for personal data theft. These extensions specifically target enterprise users with access to organizational systems.

What Organizations Should Do

Security teams should immediately:

1. Check managed browsers for extensions matching the IDs listed above
2. Review authentication logs for Workday, NetSuite, and SuccessFactors for unusual access patterns
3. Search for connections to databycloud[.]com and software-access[.]com domains

Users who installed any of these extensions should:

1. Remove the extension from a clean system (not the potentially compromised browser)
2. Perform password resets for all enterprise accounts
3. Review their account activity for unauthorized changes or access
4. Report the incident to their IT security team

Organizations with browser extension policies should ensure Workday, NetSuite, and SuccessFactors permissions are locked down for all but explicitly approved extensions.

Why This Matters

Browser extensions remain a persistent blind spot in enterprise security. Users install extensions for productivity without realizing the access they grant. Extensions that request cookie and site permissions can observe—and steal—authentication for any site in their declared scope.

The blocking of administrative and security panels represents an interesting evolution. Rather than just stealing data, these extensions actively prevented victims from investigating or responding to compromise. That level of sophistication suggests operators who understand enterprise security workflows and want to maximize their access window.

Our browser extension security guide covers safe practices for vetting and managing extensions.