Security

Malicious Chrome Extensions Steal Workday, NetSuite Logins

Krishn patel

Krishn patel

2 min read
Malicious Chrome Extensions Target Workday Logins
Credential-stealing Extensions
  • Five malicious Chrome extensions on the Chrome Web Store targeted enterprise HR and ERP platforms.
  • Attack methods included __session cookie exfiltration, blocking security admin pages, and bidirectional cookie injection for session hijack.
  • The campaign hit Workday, NetSuite and SAP SuccessFactors; the extensions had >2,300 installs and were reported to Google and removed.
  • Users should remove suspicious extensions, notify security teams, and rotate credentials on affected platforms.

What researchers found

Socket, a cybersecurity firm, discovered five Chrome extensions posing as productivity and security tools for enterprise HR and ERP systems. The add-ons targeted Workday, NetSuite, and SAP SuccessFactors and were collectively installed more than 2,300 times.

Coordinated operation under different brands

The extensions appeared under multiple publisher names but shared identical infrastructure, API patterns and code structures, suggesting a coordinated campaign. Four extensions used the developer name databycloud1104; a fifth used branding named Software Access.

How the extensions worked

Multiple extensions continuously harvested authentication cookies labeled "__session" for targeted domains. Socket found these tokens were exfiltrated to attacker-controlled servers every 60 seconds, allowing persistent access even if users logged out and back in.

Blocking admin and incident-response pages

Two extensions — Tool Access 11 and Data By Cloud 2 — used DOM manipulation and page-title detection to erase or redirect content on security and management pages. Tool Access 11 targeted 44 administrative pages, while Data By Cloud 2 targeted 56, including password management and 2FA device controls.

The Software Access extension implemented bidirectional cookie manipulation. Beyond stealing session tokens, it could receive cookies from the attacker's command-and-control server and inject them into a browser, enabling account takeover without entering credentials or multi-factor codes.

Impact and risk

Although installations were limited (~2,300 users and Data By Cloud 2 had ~1,000 installs), enterprise credentials are high-value. Stolen session tokens can enable immediate access across critical HR systems and may fuel ransomware, data theft or prolonged espionage.

Recommendations for admins and users

Immediate steps

Socket reported the extensions to Google and they were removed from the Chrome Web Store at publication. Affected users should remove these extensions, report the incident to their security teams, and rotate passwords and session tokens on Workday, NetSuite, and SuccessFactors.

Longer-term controls

Enterprises should restrict extension installs via Chrome Enterprise policies, audit extension permissions regularly, and monitor for unusual session activity. Enforcing strong MFA and reviewing active sessions can limit damage from stolen cookies.

For any suspected compromise, follow your organization’s incident response process and engage identity and threat teams to assess scope and remediation.

Read more