Saturday 04 July 2026 16:54:55 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

Cloud, SaaS & Identity Security

Chrome’s Trojan Workforce: Malicious Extensions Mimic Payroll Giants to Steal Corporate Accounts

Published: 16 January 2026 18:17Category: Cloud, SaaS & Identity SecurityAuthor: LOGICFALCON

Subtitle: Fake productivity tools targeting Workday and NetSuite infiltrate organizations, block security teams, and hijack sessions-leaving thousands at risk.

Picture this: you’re logging into your company’s HR portal to check your benefits or approve a time-off request. Unbeknownst to you, a seemingly helpful Chrome extension is lurking in the background-quietly siphoning your login credentials, blocking your IT team’s rescue efforts, and paving the way for cybercriminals to take over your account. This isn’t a worst-case scenario; it’s the chilling reality uncovered by security researchers, who have exposed a coordinated campaign of Chrome extensions impersonating trusted enterprise tools like Workday and NetSuite.

Fast Facts

  • Five Chrome extensions masqueraded as HR/ERP tools, targeting Workday, NetSuite, and SuccessFactors users.
  • Extensions exfiltrated authentication cookies, blocked security admin pages, and enabled account takeovers.
  • Over 2,300 installs recorded before removal from Chrome Web Store-still available on third-party sites.
  • Most extensions encrypted command-and-control traffic and evaded code inspection by disabling developer tools.
  • Victims are urged to uninstall the extensions, reset passwords, and review accounts for suspicious access.

Inside the Attack: How Fake Extensions Hijacked Corporate Accounts

The operation reads like a cybercrime playbook, executed with unnerving precision. Researchers at Socket discovered five Chrome extensions-DataByCloud Access, Tool Access 11, DataByCloud 1, DataByCloud 2, and Software Access-masquerading as productivity boosters for leading HR and ERP platforms. With names and branding designed to lull users into a false sense of security, these extensions infiltrated over 2,300 browsers, targeting users at the very heart of the modern workplace.

Once installed, the extensions immediately requested sweeping permissions across Workday, NetSuite, and SuccessFactors domains-gaining access to cookies, browser scripting, and even management controls. Their primary mission: to steal authentication tokens and exfiltrate them to attacker-controlled servers every 60 seconds. This allowed cybercriminals to impersonate victims, bypassing passwords and two-factor authentication entirely through session hijacking.

But the attack didn’t stop at theft. To ensure persistence, extensions like Tool Access 11 and DataByCloud 2 actively sabotaged incident response. By manipulating the Document Object Model (DOM), they blocked access to up to 56 crucial admin pages-disabling password resets, account deactivation, and security log access. Security teams, even if they spotted suspicious activity, found themselves digitally handcuffed.

The most advanced of the bunch, Software Access, took the threat further: it could inject stolen authentication cookies directly into the attacker’s browser, instantly recreating a victim’s session and granting full access to sensitive company data. And to avoid getting caught, these extensions monitored for the presence of 23 popular security tools-potentially alerting attackers if the coast wasn’t clear.

Despite being pulled from the Chrome Web Store, most of these extensions remain available on third-party sites like Softonic, presenting an ongoing risk. The campaign’s use of identical code and infrastructure strongly suggests a single threat actor-or at least a shared toolkit-behind the operation.

The Takeaway: When Security Tools Become Trojan Horses

This saga is a stark reminder that even trusted browser extensions can morph into sophisticated attack vectors. As organizations increasingly rely on cloud-based HR and ERP platforms, attackers are targeting the very tools that keep businesses running. For users and IT teams alike, vigilance is key: uninstall suspicious extensions, reset credentials, and monitor for unauthorized activity. The next time a Chrome add-on promises productivity magic, remember-some Trojan horses wear a suit and tie.

WIKICROOK

  • Session Hijacking: Session hijacking is when an attacker steals or mimics a user's session to gain unauthorized access and act as that user online.
  • Authentication Token: An authentication token is a digital key that verifies your identity to apps or services, allowing secure access without re-entering your password.
  • Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
  • Document Object Model (DOM): The DOM is a tree-like structure representing a webpage’s content, which can be changed by scripts or malicious browser extensions.
  • Cookie Injection: Cookie injection is when attackers place stolen cookies in a browser to hijack sessions and impersonate users, bypassing authentication controls.