High

A coordinated campaign involving five malicious Google Chrome extensions has emerged as a serious enterprise security threat, specifically targeting widely used HR and financial platforms including Workday, NetSuite, and SAP SuccessFactors. These platforms manage highly sensitive employee and financial data for thousands of organizations worldwide. The extensions work together as a unified attack framework designed to steal authentication tokens, disable security controls, and enable full account takeover through session hijacking. Four of the extensions were published under the developer name databycloud1104, while a fifth extension called Software Access uses identical infrastructure and attack logic. Together, these extensions have infected more than 2,300 enterprise users, demonstrating a well-organized and carefully planned operation.

Security researchers identified the campaign through deep code analysis, revealing hidden malicious functionality behind misleading productivity tool branding. The extensions falsely claim to help users manage multiple accounts more efficiently, but in reality they steal session cookies and authentication tokens while actively preventing security teams from responding. The most dangerous feature is found in the Software Access extension, which implements bidirectional cookie injection. This allows attackers to inject stolen authentication cookies directly into their own browsers, instantly hijacking victim sessions without needing passwords or bypassing multi‑factor authentication. Other extensions continuously harvest session tokens every 60 seconds, ensuring attackers maintain persistent access even if users log out and log back in.

The campaign also includes a highly advanced persistence and containment‑evasion mechanism. The extensions perform DOM manipulation and use MutationObserver functions to monitor web pages every 50 milliseconds. If a security administrator attempts to access security settings, reset passwords, revoke sessions, disable accounts, or manage MFA devices, the extensions immediately erase the page content and redirect the user to broken or malformed URLs. The “Tools Access 11” extension blocks 44 Workday admin pages, while “Data By Cloud 2” blocks 56 administrative pages, including audit logs and account recovery functions. This effectively prevents security teams from performing incident response.

This attack creates a containment failure scenario where organizations may detect unauthorized access but are unable to stop it using standard security controls. The malicious domains used in the campaign databycloud[.]com (returning 404 errors) and software-access[.]com (returning SSL handshake errors) further indicate infrastructure designed to evade detection. As a result, affected organizations are forced to either tolerate persistent unauthorized access or completely migrate users to new accounts. The campaign represents one of the most sophisticated Chrome extension–based enterprise compromises observed to date, combining credential theft, session hijacking, administrative sabotage, and long‑term persistence into a single coordinated attack strategy.