Five Dangerous Chrome Add-ons Workday and NetSuite impersonation for account theft

"The extensions work in concert to steal authentication tokens, block incident response capabilities, and enable complete account takeover through session hijacking," stated Socket security researcher Kush Pandya in a report published on Thursday. Cybersecurity researchers have found five new malicious Google Chrome web browser extensions that pose as HR and ERP platforms like Workday, NetSuite, and SuccessFactors in order to take control of victim accounts.

The extensions are named as follows: DataByCloud Access (ID: oldhjammhkghhahhhdcifmmlefibciph, 251 Installs (published by databycloud1104) Tool Access 11 (ID: ijapakghdgckgblfgjobhcfglebbkebf, Published by: databycloud1104; 101 DataByCloud 1 Installs (ID: mbjjeombjeklkbndcjgmfcdhfbjngcam, 1,000 DataByCloud 2 Installs (ID: makdmacamkifdldldlelollkkjnoiedg, published by databycloud1104) Published by: databycloud1104) 1,000 Software Access Installs (ID: bmodapcihjhklpogdpblefpepjolaoij, Published by: 27 Installs of Software Access As of this writing, all of them—aside from Software Access—have been taken down from the Chrome Web Store. Nevertheless, third-party software download websites like Softonic continue to offer them. The add-ons are marketed as productivity tools that provide access to high-end tools for various platforms, such as NetSuite, Workday, and others.

Furthermore, the fact that all five extensions have a similar extension ID list raises two possibilities: either a common toolkit or the work of the same threat actor who has published them under different publishers. It is recommended that Chrome users who have installed any of the aforementioned add-ons uninstall them from their browsers, reset their passwords, and keep an eye out for any indications of unauthorized access from unknown IP addresses or devices. According to Socket, "the combination of persistent credential theft, administrative interface blocking, and session hijacking creates a scenario where security teams can detect unauthorized access but cannot remediate through normal channels."

Five Dangerous Chrome Add-ons Workday and NetSuite impersonation for account theft

Trending News

North Korean Hackers Compromise Popular Axios Package to Infect Windows, macOS, and Linux

North Korean Hackers Compromise Popular Axios Package to Infect Windows, macOS, and Linux

LinkedIn Hidden Code Secretly Searches Your Browser for Installed Extensions

LinkedIn Hidden Code Secretly Searches Your Browser for Installed Extensions

Hackers Weaponize Claude Code Leak to Spread Vidar and GhostSocks Malware

Hackers Weaponize Claude Code Leak to Spread Vidar and GhostSocks Malware

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

Anthropic Officially Terminates Claude Subscriptions Used by Tools Like OpenClaw

Anthropic Officially Terminates Claude Subscriptions Used by Tools Like OpenClaw

36 bad npm packages used Redis and PostgreSQL to install permanent implants.

36 bad npm packages used Redis and PostgreSQL to install permanent implants.

Six months of social engineering by the DPRK led to the $285 million Drift Hack.

Six months of social engineering by the DPRK led to the $285 million Drift Hack.

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

Top 10 Best VPN For Chrome in 2026

Top 10 Best VPN For Chrome in 2026

Top 10 Best User Access Management Tools in 2026

Top 10 Best User Access Management Tools in 2026

Five Dangerous Chrome Add-ons Workday and NetSuite impersonation for account theft

Trending News

North Korean Hackers Compromise Popular Axios Package to Infect Windows, macOS, and Linux

North Korean Hackers Compromise Popular Axios Package to Infect Windows, macOS, and Linux

LinkedIn Hidden Code Secretly Searches Your Browser for Installed Extensions

LinkedIn Hidden Code Secretly Searches Your Browser for Installed Extensions

Hackers Weaponize Claude Code Leak to Spread Vidar and GhostSocks Malware

Hackers Weaponize Claude Code Leak to Spread Vidar and GhostSocks Malware

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

Anthropic Officially Terminates Claude Subscriptions Used by Tools Like OpenClaw

Anthropic Officially Terminates Claude Subscriptions Used by Tools Like OpenClaw

36 bad npm packages used Redis and PostgreSQL to install permanent implants.

36 bad npm packages used Redis and PostgreSQL to install permanent implants.

Six months of social engineering by the DPRK led to the $285 million Drift Hack.

Six months of social engineering by the DPRK led to the $285 million Drift Hack.

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

Top 10 Best VPN For Chrome in 2026

Top 10 Best VPN For Chrome in 2026

Top 10 Best User Access Management Tools in 2026

Top 10 Best User Access Management Tools in 2026