Five Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts

[Brownie2019]

Content source

https://thehackernews.com/2026/01/five-malicious-chrome-extensions.html

Cybersecurity researchers have discovered five new malicious Google Chrome web browser extensions that masquerade as human resources (HR) and enterprise resource planning (ERP) platforms like Workday, NetSuite, and SuccessFactors to take control of victim accounts.

"The extensions work in concert to steal authentication tokens, block incident response capabilities, and enable complete account takeover through session hijacking," Socket security researcher Kush Pandya said in a Thursday report.

Full Article:

Five Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts

Five fake Chrome extensions impersonate Workday and NetSuite to steal cookies, block admin controls, and hijack sessions for account takeover.

thehackernews.com

 

[Bot]

Full Article:

Five Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts

Five fake Chrome extensions impersonate Workday and NetSuite to steal cookies, block admin controls, and hijack sessions for account takeover.

thehackernews.com

This report is describing a fairly common (and effective) account-takeover pattern: a “legit-looking” Chrome extension that targets enterprise users, then steals session/authentication tokens so the attacker can hijack an already-authenticated session (often bypassing MFA because the attacker is reusing the existing session).

What this kind of extension typically does

• Impersonates well-known business portals (HR/ERP) to get installed by employees
• Requests broad permissions (read/modify website data, access cookies/storage, intercept requests)
• Steals session tokens/cookies and uses them to take over accounts via session hijacking
• May try to hinder response (blocking access to security pages, logging out defenders, interfering with IR steps)

If you suspect one of these extensions was installed (individual or small business)

• Remove the extension immediately (Chrome menu → Extensions), then fully restart Chrome.
• Sign out of affected services and force sign-out of other sessions (Workday/NetSuite/SuccessFactors/SSO portal). If you can’t find a “sign out all sessions” option, change the password anyway (it often invalidates sessions or triggers re-auth).
• Change passwords for the affected identity provider/SSO account first (Microsoft/Google/Okta/etc.), then the downstream app accounts.
• Revoke active sessions and connected apps/OAuth grants in your identity provider (this is important if tokens were stolen).
• Clear browser site data for the affected domains (cookies/storage), because session hijacking relies on those artifacts.
• Run a full scan with a reputable AV (and if this is a managed device, notify IT/security). This doesn’t “prove” the extension is gone, but it’s a standard safety step.

If you’re an organization/IT admin (prevention + containment)

• Use Chrome Enterprise policies: extension allowlisting (and block all others), block Developer Mode, and prevent users from sideloading extensions.
• Monitor for new extension installs and unusual permission requests (especially “Read and change all your data on all websites”).
• Treat as an identity incident: revoke sessions/tokens at the IdP level, review sign-in logs, and hunt for suspicious OAuth app consents.
• Consider stronger phishing/session-resistance controls (FIDO2/security keys, Conditional Access, device compliance checks). Note: session hijacking can still be tough, so token/session revocation and device controls matter.

Key takeaway
If an attacker gets session tokens via a malicious extension, “changing the password later” may not be enough unless sessions/tokens are actively revoked. The fastest safe response is: remove extension → revoke sessions/tokens → rotate credentials → review sign-in logs.

Sources

• Five Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts

 

[ForgottenSeer 123960]

Indicators of Compromise (IOCs)
Extension IDs Ensure these IDs are explicitly blocked in your Google Admin Console (Device Management > Chrome > Apps & extensions).

oldhjammhkghhahhhdcifmmlefibciph (DataByCloud Access)

ijapakghdgckgblfgjobhcfglebbkebf
(Tool Access 11)

mbjjeombjeklkbndcjgmfcdhfbjngcam (DataByCloud 1)

makdmacamkifdldldlelollkkjnoiedg
(DataByCloud 2)

bmodapcihjhklpogdpblefpepjolaoij
(Software Access)

Network Indicators (C2 Infrastructure)
Refang and block the following domains at the web gateway/proxy level.

api.databycloud[.]com
(Exfiltration endpoint, beaconing every 60 seconds)

api.software-access[.]com
(Cookie injection payload source)

workdaysuv[.]com
(Targeting sandbox environments)

Behavioral Signatures

Admin Lockout
The extensions actively monitor page titles. If a user navigates to administrative pages (e.g., authentication management, proxy config), the extension erases page content or redirects the user.

Counter-Surveillance
The malware scans for the presence of 23 known security/developer extensions (e.g., EditThisCookie, Burp, Metamask) to determine if it is being analyzed.

Recommendation / Remediation

Immediate Containment (Identity Level)
Removal of the extension is insufficient. You must revoke all active sessions and refresh tokens for affected users at the Identity Provider level (Okta, Entra ID, Google Workspace).

Reset passwords for Workday, NetSuite, and SuccessFactors accounts accessed by the infected host.

Fleet-Wide Hunting
Query your EDR or SIEM for browser process command lines containing the Extension IDs listed above.

Review proxy logs for traffic to api.databycloud[.]com.

Policy Enforcement

Block Third-Party Stores
While removed from the official Chrome Web Store, these extensions remain available on third-party sites like Softonic. Enforce policies that restrict extension installation sources solely to the Chrome Web Store.

Permission Auditing
Review extensions requesting broad permissions such as declarativeNetRequest or "Read and change all your data on all websites".

References

MITRE ATT&CK T1176
Browser Extensions

MITRE ATT&CK T1539
Steal Web Session Cookie

Source
The Hacker News / Socket Research

 

[Brownie2019]

Cybersecurity researchers have discovered malicious Google Chrome extensions that come with capabilities to hijack affiliate links, steal data, and collect OpenAI ChatGPT authentication tokens.
One of the extensions in question is Amazon Ads Blocker (ID: pnpchphmplpdimbllknjoiopmfphellj), which claims to be a tool to browse Amazon without any sponsored content. It was uploaded to the Chrome Web Store by a publisher named "10Xprofit" on January 19, 2026.
"The extension does block ads as advertised, but its primary function is hidden: it automatically injects the developer's affiliate tag (10xprofit-20) into every Amazon product link and replaces existing affiliate codes from content creators," Socket security researcher Kush Pandya said.
Further analysis has determined that Amazon Ads Blocker is part of a larger cluster of 29 browser add-ons that target several e-commerce platforms like AliExpress, Amazon, Best Buy, Shein, Shopify, and Walmart.

The complete list is as follows

Full Story:

Researchers Uncover Chrome Extensions Abusing Affiliate Links and Stealing ChatGPT Access

Experts uncovered malicious Chrome extensions that replace affiliate links, exfiltrate data, and steal ChatGPT authentication tokens from users.

thehackernews.com