Enterprise HR and ERP platforms are the kind of systems you really do not want attackers touching. They sit right in the middle of identity, payroll, employee data, and sometimes even approvals for financial workflows. That is why this latest discovery is worrying: a set of malicious Chrome extensions managed to slip into the Chrome Web Store while pretending to be productivity or security add-ons for well-known enterprise platforms.
According to research from cybersecurity firm Socket, several extensions were caught targeting Workday, NetSuite, and SAP SuccessFactors, with a combined install count of more than 2,300.
What Was Found and Why It Matters
The extensions were presented as tools that would make life easier for enterprise users, things like quicker dashboards, bulk management utilities, or tighter "security controls" for sensitive admin areas. But behind that friendly pitch, Socket says the extensions were designed to do one of three things (and in some cases, multiple at once):
Even though 2,300 installs is not a massive number compared to consumer malware campaigns, the stakes are higher here. If the stolen access belongs to HR or IT administrators, one compromised account can open the door to broader credential theft, internal reconnaissance, and potentially ransomware or large-scale data theft.
The Trick: Looking Like Legit Enterprise Helpers
Socket says these extensions were marketed using language that would not feel out of place in an enterprise environment. The listings claimed to offer:
Two examples Socket highlighted were:
Reportedly the most popular of the group, installed about 1,000 times, and pitched as a dashboard with bulk management tools and faster access for people juggling multiple enterprise accounts.
Positioned as security-focused, claiming it would limit interactions with special administrative tools to reduce the risk of account compromise.
On the surface, those descriptions sound believable, especially in organizations where people are constantly looking for workflow shortcuts.
The Coordination Clue: Different Names, Same Operation
One of the more interesting parts of Socket's findings is that these extensions did not look like a single publisher spamming multiple copies. They appeared under different names and branding, but Socket says the underlying fingerprints matched:
Four of the extensions were reportedly published under a developer name listed as databycloud1104, while another used different branding under the name Software Access. The separation makes it feel less suspicious at a glance, but the technical similarities tell a different story.
What the Extensions Were Actually Doing
Socket's analysis describes a mix of credential-related behaviors, all designed to keep attackers in control once a victim installed the extension.
1. Stealing active login sessions by grabbing cookies
Several extensions repeatedly extracted authentication cookies named "__session" from targeted domains tied to Workday, NetSuite, and SuccessFactors. Those cookies can represent an active logged-in session, meaning an attacker may not need the password at all if they can replay the session token.
The particularly nasty part is the reported frequency: the data was allegedly exfiltrated every 60 seconds to remote command-and-control infrastructure. That kind of steady harvesting can help attackers maintain access even as users sign out, sign back in, or refresh sessions.
2. Blocking security and incident response pages inside Workday
Two extensions, Tool Access 11 and Data By Cloud 2, were reported to interfere with Workday's security administration areas.
Instead of quietly stealing tokens and staying invisible, they also tried to slow down the response. Socket says they used page title detection to identify when an admin opened certain security pages, then either removed the page content or redirected the user away from those management screens.
Socket reported that Tool Access 11 targeted 44 administrative pages, including areas tied to authentication policies, security proxy configuration, IP range management, and session controls.
Data By Cloud 2 reportedly expanded the list to 56 pages, adding areas like password management, account deactivation, 2FA device controls, and security audit logs.
If that behavior is accurate, it is not just theft. It is interference, designed to make it harder for defenders to lock things down while an attack is underway.
3. Session hijacking via cookie injection
Socket also described "bidirectional cookie injection," which is a fancy way of saying the extension can push cookies into the browser as well, potentially letting an attacker force a hijacked session into place.
When you combine cookie theft with cookie injection, the attacker is not just stealing access. They are also building a reliable way to re-establish it.
The Transparency Red Flag: The Listings Did Not Admit Any of This
Socket noted that the extensions did not disclose cookie extraction, credential exfiltration, or admin page blocking in their listings. Even the privacy policies reportedly did not mention collecting user data, which is a major warning sign on anything that asks for broad permissions.
In other words, the marketing promised productivity and security, while the functionality focused on covert access.
What Enterprise Teams Should Take Away
This kind of campaign lives in the gap between "normal browser customization" and "real enterprise security." People do install extensions at work, and many organizations do not have strong visibility into which extensions are in use until something goes wrong.
Practical takeaways:
If you want, I can also turn this into a longer, blog-ready piece in your usual format with a stronger opening hook, a "how to spot a risky extension" section, and a tighter closing that connects it to real-world ransomware and data-theft playbooks.
Comments