In recent weeks, several malicious extensions for Google Chrome have been flattened to the surface that have been impersonated by productivity tools oriented to human resources platforms and ERP, such as Workday, NetSuite or SuccessFactors. Socket security researchers have identified five supplements that, although promoted as utilities to facilitate access to premium tools, hide capabilities designed to steal sessions and block any response attempts by security teams.
The identified extensions include names such as DataByCloud Access, DataByCloud 1, DataByCloud 2, Tool Access 11 and Software Access, with several versions published under one or two different editors. Some came to accumulate several hundred or thousands of facilities before Google removed most of them from the official store; however, some installers persisted in third-party repositories, which increases the risk that users and companies without sufficient software control will end up running them. Socket's technical report describes in detail how they work and why they are particularly dangerous: Socket analysis.
The central technique using these extensions is the exploitation of authentication cookies: they collect session cookies from specific domains related to corporate services and regularly send them to servers controlled by the attackers. In some cases this is complemented by the reverse capacity: receiving cookies from a remote server and injecting them into the attacker's browser to directly take over the victim's session. This "injection" mechanism allows the attacker to work with the same identity as the affected person without having to know his password, which Socket documents as an efficient method of account-kidnapping.
But the threat does not remain in the passive theft of credentials. Several of these supplements manipulate the Document Object Model (DOM) of critical administrative pages to prevent security teams from accessing account management options, such as password changes, session control, security proxy settings or allowed IP lists. By deleting or redirecting the content of administrative pages, these extensions can neutralize controls that would allow to revoke compromised sessions or close unwanted access vectors. The result is a larger exposure window, in which attackers not only steal access but also make it difficult to remedy from the same environment that should protect it.
Researchers also observed techniques to complicate the inspection of the code by administrators: some supplements integrated bookstores that attempt to deactivate the browser developer tools, with the aim of hiding its operation and making manual analysis difficult. The open source project used in this case, known as DisableDevtool, is publicly available in GitHub and explains how this inspection layer is handled: DisableDevtool in GitHub.
A key detail that points to a coordinated operation is the emergence, in all extensions, of the same list of identifiers of other security extensions - tools designed precisely to manipulate or audit cookies, headers or sessions. This list acts as an inventory that allows attackers to detect whether the victim's browser has utilities that could interfere with their actions, and presumably adapt their behavior to avoid being detected. The repetition of this pattern suggests either that the same actor has published the different extensions under different names, or that there is a common toolbox in the hands of several operators.
Among the technical differences observed, the extension called Software Access stands out for its sophistication: in addition to stealing cookies, you can receive cookies from your command and control server, removing the existing ones and writing the new ones into the target browser using the Chrome cookies API. The attacker then installs the victim's authentication status in his own browser and can operate as if he were that person. In addition, it incorporates protections in password input fields to make it difficult to review manual.
While Google removed most of these additions from the Chrome Web Store after alerts, the presence on external sites poses remaining risks. For those who use business-run browsers or access critical services from the browser, this episode is a reminder that extensions, unlike native applications, have a level of access to web activity that makes them very valuable attack points. Google and other security actors have been insisting on the need to manage and audit installed extensions for years; Google's official documentation on how to review and remove extensions can serve as a basic guide for users: How to Remove Extensions in Chrome.
What practical steps should be taken right now? First, immediately remove any suspicious extension or any of the ones in the reports. It is then recommended to force the closure of sessions in critical services and to change passwords, especially if the browser was used to access business accounts. The activation of multifactor authentication (2FA) is an important, but not infallible, brake if the attacker is able to inject valid cookies; therefore it is also prudent to review the access records of the platforms used - many services show recent active sessions and IP addresses - and to revoke those we do not recognize. In corporate environments, the response should include device review, service account credentials rotation and block application from central administration where possible.
This case shows that browser security is now an essential part of corporate cyberdefence. It is not just a question of avoiding malicious extensions, but of setting up controls to audit and limit which supplements can be installed, using centralized extension management policies and maintaining a reliable software inventory. For IT professionals and security officials, the guides and recommendations of suppliers and incident response centres are useful as a reference when responding to such commitments. Socket offers a technical analysis and samples that allow to deepen the techniques observed: read Socket report.
In short, browser extensions are very convenient, but they can also be powerful weapons in wrong hands. Maintaining strict digital hygiene, limiting the use of supplements to the strictly necessary ones and having safety controls on workstations and corporate browsers are actions that significantly reduce the risk that a simple click will end up in a more far-reaching intrusion.
Safety alert Drug critical vulnerability of SQL injection in PostgreSQL requires immediate update
Drucal has published safety updates for a vulnerability qualified as "highly critical" which affects Drumal Core and allows an attacker to achieve arbitrary SQL injection in sit...
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...