Based on reporting by Cybersecurity News.
Security researchers have uncovered a coordinated campaign involving five malicious Google Chrome extensions designed to compromise enterprise HR and ERP platforms. These extensions were disguised as legitimate productivity, access, or workplace tools and were distributed through trusted-looking listings.
Once installed, the extensions abused elevated browser permissions to steal session cookies, intercept authentication tokens, block security pages, and disable defensive controls. This enabled attackers to hijack authenticated sessions and maintain persistent access without requiring user credentials or passwords.
Identified Malicious Chrome Extensions
The following extensions were identified as part of the campaign:
- DataByCloud Access — Posed as a productivity or security-related tool while secretly harvesting session tokens.
- Tool Access 11 — Intercepted authentication data and blocked access to administrative and security settings.
- DataByCloud 1 — Exfiltrated authentication cookies to attacker-controlled servers.
- DataByCloud 2 — A variant with extended persistence and administrative interference capabilities.
- Software Access — Enabled bidirectional session hijacking and long-term account takeover.
Affected platforms reportedly include widely used enterprise services such as Workday, SAP SuccessFactors, and Oracle NetSuite, which often store sensitive employee, payroll, and internal operational data.
Researchers warn that browser extensions remain a significant blind spot in corporate security strategies. Because they operate inside trusted browsers, malicious extensions can bypass endpoint protections, traditional antivirus tools, and network-based defenses.
Reducing Browser Extension Risk
Security experts recommend organizations restrict extension installation via managed browser policies, regularly audit installed add-ons, and educate employees about the risks of installing unofficial or unnecessary browser extensions.
Source: Cybersecurity News