Supply chain security firm Socket discovered five malicious Chrome extensions masquerading as tools for Workday, NetSuite, and SAP SuccessFactors. The extensions accumulated over 2,300 installs before Google removed most of them from the Chrome Web Store—though at least one remains available.
Incident overview
| Attribute | Details |
|---|---|
| Discovery | Socket Threat Research Team |
| Extensions identified | 5 |
| Total installs | 2,300+ |
| Target platforms | Workday, NetSuite, SAP SuccessFactors |
| Attack types | Cookie theft, DOM manipulation, session hijacking |
| Status | 4 removed, 1 still active |
Timeline
| Date | Event |
|---|---|
| January 2026 | Socket identifies malicious extensions |
| January 17, 2026 | Socket publishes analysis |
| January 19, 2026 | Google removes four of five extensions |
| Ongoing | Software Access extension still in Chrome Web Store |
Malicious extensions
| Extension Name | Extension ID | Publisher | Installs | Status |
|---|---|---|---|---|
| DataByCloud 2 | lfjbffniigfppmjgljbijdohnnekpdae | databycloud1104 | Part of 2,300+ | Removed |
| Tool Access 11 | dcdfcdigcalagpeoojgnaeaibphimepf | databycloud1104 | Part of 2,300+ | Removed |
| DataByCloud Access | ohgbakjjcfcbkihohlklcfijlpbbjimc | databycloud1104 | Part of 2,300+ | Removed |
| Data By Cloud 1 | fffijllacnghojlghnffhehloockfbak | databycloud1104 | ~1,000 | Removed |
| Software Access | knoedgofjnaekopeocjimgbbnhmjebgj | Different branding | Unknown | Still active |
Despite different names and apparent publishers, Socket’s analysis revealed identical code structures, API patterns, and evasion techniques—indicating a coordinated operation by a single threat actor.
Attack techniques
The campaign deployed three distinct attack types working in concert:
1. Cookie theft
DataByCloud Access (v1.6) extracts authentication cookies every 60 seconds:
| Target platform | Domain monitored |
|---|---|
| Workday | myworkday.com |
| NetSuite | netsuite.com |
| SuccessFactors | successfactors.com |
| Process step | Action |
|---|---|
| 1 | Background script monitors target domains |
| 2 | Session cookies harvested every 60 seconds |
| 3 | Cookies encrypted |
| 4 | Exfiltrated to api[.]databycloud[.]com |
Permissions requested:
| Permission | Abuse potential |
|---|---|
| cookies | Direct cookie access |
| management | Extension control |
| scripting | Page injection |
| storage | Local data storage |
| declarativeNetRequest | Network interception |
2. DOM manipulation
Tool Access 11 (v1.4) blocks access to 44 administrative pages within Workday by erasing content and redirecting users to malformed URLs.
Data By Cloud 2 (v3.3) expands blocking to 56 pages, adding critical incident response functions.
| Blocked functionality | Impact |
|---|---|
| MFA settings | Cannot enable additional protection |
| SSO configuration | Cannot modify authentication |
| IP restrictions | Cannot limit access by location |
| Session management | Cannot terminate sessions |
| User provisioning | Cannot disable accounts |
| Role assignment | Cannot modify permissions |
| Activity logs | Cannot review access history |
| Security audit reports | Cannot investigate compromise |
| Password changes | Cannot reset credentials |
| Account deactivation | Cannot disable compromised accounts |
| 2FA device management | Cannot revoke compromised devices |
This prevented administrators from detecting or remediating the compromise through normal administrative interfaces.
3. Session hijacking
Software Access goes beyond cookie theft—it also injects attacker-supplied cookies into victim browsers:
| Capability | Impact |
|---|---|
| Cookie injection | Overwrite legitimate sessions |
| Session takeover | Attacker assumes victim identity |
| Bidirectional control | Both steal and inject cookies |
This enables direct session takeover rather than requiring the attacker to use stolen cookies from a separate browser.
Enterprise impact
Stolen authentication cookies allow attackers to bypass MFA entirely. With valid session tokens, threat actors gain access to:
| Data category | Examples | Risk level |
|---|---|---|
| HR data | Employee records, SSNs, addresses, salary | Critical |
| Financial data | NetSuite transactions, AP/AR, reports | Critical |
| Payroll | Direct deposit details, tax withholding | Critical |
| Strategic data | Workforce planning, compensation analysis | High |
| Org charts | Reporting structures, key personnel | Medium |
Organizations using these platforms typically house their most sensitive employee and financial data.
Why browser extension attacks work
Browser extensions operate with elevated privileges that make them attractive attack vectors:
| Factor | Exploitation |
|---|---|
| Persistent access | Remain installed across browser sessions |
| Trusted context | Run within browser’s security boundary |
| Broad permissions | Access cookies, modify DOM, intercept requests |
| Minimal vetting | Chrome Web Store review has known gaps |
| User trust | Enterprise users assume “work tools” are safe |
| MFA bypass | Session cookies work without additional authentication |
Coordinated operation indicators
Socket identified evidence of a single threat actor:
| Indicator | Finding |
|---|---|
| Code structure | Identical across extensions |
| API patterns | Same C2 endpoints and protocols |
| Evasion techniques | Shared security tool detection lists |
| Target platforms | Same enterprise HR/ERP focus |
| Infrastructure | Common backend servers |
Current status
| Extension | Chrome Web Store | Third-party sites |
|---|---|---|
| DataByCloud 2 | Removed | Still on Softonic, others |
| Tool Access 11 | Removed | Still on Softonic, others |
| DataByCloud Access | Removed | Still on Softonic, others |
| Data By Cloud 1 | Removed | Still on Softonic, others |
| Software Access | Still active | Available |
Critical: Users who installed before removal still have active malicious extensions. Removal from Chrome Web Store does not uninstall existing installations.
Recommendations
For security teams
| Priority | Action |
|---|---|
| Critical | Audit installed extensions across organization |
| Critical | Remove identified malicious extensions |
| Critical | Force-remove extensions via Chrome Enterprise policy |
| High | Block third-party extension sources |
| High | Implement extension allowlisting |
| High | Monitor for anomalous HR/ERP access patterns |
Chrome Enterprise policy options
| Policy | Purpose |
|---|---|
ExtensionInstallBlocklist | Block specific extension IDs |
ExtensionInstallAllowlist | Whitelist approved extensions only |
ExtensionInstallSources | Restrict to managed deployments |
ExtensionSettings | Granular per-extension control |
For affected users
| Step | Action |
|---|---|
| 1 | Check chrome://extensions for listed extension IDs |
| 2 | Remove immediately if found |
| 3 | Rotate passwords for Workday, NetSuite, SuccessFactors |
| 4 | Review account activity for unauthorized access |
| 5 | Report to IT security team |
| 6 | Check for unexpected session activity |
For platform administrators
| Priority | Action |
|---|---|
| High | Audit authentication logs for simultaneous sessions |
| High | Check for geographically inconsistent access |
| High | Force password resets from clean systems |
| High | Review trusted device registrations |
| Medium | Remove unrecognized devices registered during attack window |
| Ongoing | Monitor for unusual administrative access patterns |
Indicators of compromise
Extension IDs to block
lfjbffniigfppmjgljbijdohnnekpdae
dcdfcdigcalagpeoojgnaeaibphimepf
ohgbakjjcfcbkihohlklcfijlpbbjimc
fffijllacnghojlghnffhehloockfbak
knoedgofjnaekopeocjimgbbnhmjebgjPublisher to flag
databycloud1104
C2 domain
api[.]databycloud[.]com
Context
This campaign reflects the growing trend of threat actors targeting enterprise SaaS platforms through browser-based attacks rather than traditional endpoint malware. As organizations move critical business functions to cloud platforms like Workday and NetSuite, the browser becomes the primary attack surface.
The combination of cookie theft for credential access, DOM manipulation to prevent remediation, and session injection for direct takeover represents a sophisticated multi-pronged attack against enterprise HR and financial systems.
Organizations should treat browser extension management with the same rigor applied to endpoint software deployment—implementing allowlisting, monitoring, and centralized policy enforcement. The 2,300+ affected users demonstrate that Chrome Web Store presence alone is not sufficient vetting for enterprise deployment.