Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Feb 01, 2026 · 5 min read

These Chrome Extensions Look Like Workday—But They're Stealing Your Corporate Credentials

A coordinated campaign used fake HR platform extensions to hijack sessions and lock security teams out of their own admin panels.

Security researchers at Socket have uncovered a sophisticated attack campaign targeting enterprise users through five malicious Chrome extensions. The extensions masqueraded as tools for popular HR and ERP platforms including Workday, NetSuite, and SuccessFactors. Before their removal from the Chrome Web Store, they had been installed by more than 2,300 users across multiple organizations.

Corporate office computer displaying browser extensions with warning indicators

The Malicious Extensions

The five extensions operated under different names but shared identical infrastructure, code patterns, and targeting. Four were published under the developer name databycloud1104, while the fifth used different branding:

  • DataByCloud Access (251 installs)
  • Tool Access 11 (101 installs)
  • DataByCloud 1 (1,000 installs)
  • DataByCloud 2 (1,000 installs)
  • Software Access (27 installs)

While Google has removed these extensions from the Chrome Web Store, they remain available on third party software download sites like Softonic, where unsuspecting users can still install them.

Three Pronged Attack Strategy

What makes this campaign notable is its coordinated use of multiple attack techniques working together:

Cookie Exfiltration

The extensions continuously extracted authentication cookies containing active login tokens for Workday, NetSuite, and SuccessFactors. According to Socket researcher Kush Pandya, these tokens were exfiltrated every 60 seconds to remote command and control servers. This allowed attackers to maintain persistent access even when users logged out and back in.

Blocking Security Admins

Two extensions, Tool Access 11 and DataByCloud 2, actively sabotaged incident response efforts. Using page title detection, they either erased content or redirected administrators away from security management pages. Tool Access 11 targeted 44 administrative pages within Workday, including authentication policies, security proxy configuration, IP range management, and session controls. DataByCloud 2 expanded this to 56 pages.

Session Hijacking

The most sophisticated variant, Software Access, received stolen cookies from remote servers and injected them directly into victim browsers. This enabled complete account takeover, allowing attackers to operate as if they were the legitimate user without needing passwords.

Evading Detection

All five extensions monitored for 23 security related browser tools, including EditThisCookie, Cookie Editor, ModHeader, Redux DevTools, and SessionBox. This allowed attackers to detect when security researchers or IT administrators might be analyzing the extensions and adjust their behavior accordingly.

The extensions also communicated their findings to the threat actor, helping them identify which organizations had security tools that could potentially reveal the malicious behavior.

Why Enterprise HR Platforms Are Targets

Platforms like Workday, NetSuite, and SuccessFactors contain some of the most sensitive data in any organization: employee personal information, salary details, tax records, and organizational structures. Access to these systems can enable:

  • Payroll fraud and direct deposit redirection
  • Identity theft using employee personal data
  • Business email compromise using organizational charts
  • Insider trading using compensation and personnel changes

What Organizations Should Do

Socket recommends several immediate actions for affected organizations:

  • Remove any installed instances of the five extensions
  • Reset passwords for all affected enterprise platform accounts
  • Review login histories for unauthorized access from unfamiliar IP addresses or devices
  • Implement Chrome Enterprise extension allowlists to prevent unauthorized installations
  • Monitor for extensions targeting enterprise platforms with similar permission requests

For individual users, the incident underscores the importance of verifying extension publishers before installation and being skeptical of tools that request broad permissions for enterprise platforms.

A Growing Pattern

This campaign follows a string of malicious browser extension discoveries in recent months, including the DarkSpectre campaign that harvested corporate meeting data from 8.8 million users and the Stanley malware as a service that guarantees placement of phishing extensions in the Chrome Web Store for $6,000.

As browser extensions gain access to more sensitive enterprise systems, the attack surface for organizations continues to expand. Until browser vendors implement stronger verification for extensions targeting business platforms, security teams must treat extension management as a critical part of their defense strategy.