January 29, 2026

AI Resume Screening Tool Powered by GPT-5.2

consulting@sinokap.com

https://it-support-china.com/

Recently, cybersecurity firm Socket disclosed an attack campaign that enterprises should treat as a high-priority warning: attackers distributed malicious browser extensions through the Chrome Web Store, disguising them as “productivity tools” or “security enhancement tools,” with a focus on commonly used HR and ERP platforms such as Workday, NetSuite, and SAP SuccessFactors.

On the surface, the campaign did not rack up a huge number of installs (around 2,300). But the risk pattern is classic—and dangerous: what gets stolen is not an ordinary account, but valid sessions and, potentially, administrative capability for critical enterprise systems. Once attackers gain access to HR/ERP platforms, the situation can rapidly escalate into large-scale data theft, financial fraud, and even ransomware pre-positioning.

What makes this type of incident most hazardous is the asymmetry: the entry point looks like “just a browser extension,” but what gets compromised may be the company’s most mission-critical business systems.

What happened? Five malicious extensions acting in concert

Socket identified five malicious Chrome extensions aimed primarily at Workday, NetSuite, and SAP SuccessFactors. Although uploaded by different publishers, they shared the same infrastructure, code patterns, and targets—strong indicators of a coordinated attack chain.

Their capabilities fall into three main categories (each highly destructive for enterprises):

Stealing authentication cookies (session tokens) and exfiltrating them
Blocking or breaking security/admin pages to prevent incident response
Bi-directional cookie injection to enable direct session hijacking (the most dangerous)

The core technique: Stealing cookies is more lethal than stealing passwords

In this incident, two notable extensions were Data By Cloud 2 and Tool Access 11. They were packaged as “bulk management tools” or “enhanced security controls,” which can easily appear legitimate—especially to enterprise users looking for efficiency add-ons.

Once installed, they continuously stole an authentication cookie named “__session” (containing a valid login token) and sent it to the attackers’ command-and-control (C2) server every 60 seconds.

This means:

Attackers are not collecting “username + password,” but a reusable active authenticated session. In many systems, as long as the session remains valid, attackers can operate without triggering obvious login anomalies.

A deeper move: Locking you out of the security console so you can’t respond

More alarming is that these malicious extensions didn’t just steal data—they actively prevented administrators from taking security actions.

Tool Access 11 targeted about 44 admin pages
Data By Cloud 2 expanded coverage to about 56 admin pages

These blocked pages are typically the entry points for critical security controls, such as:

Authentication policies, password policies, MFA device management, security audit logs, and permission configurations.

The technique is not complex, but it’s highly effective: the extension checks the page title, then clears content, blocks loading, or redirects the user—making it look like a “page error,” when in fact it’s malicious script interference.

In one sentence: it’s not only stealing the keys—it’s dismantling the alarm system.

The most dangerous link: Bi-directional cookie injection = “instant takeover of a logged-in account”

The most threatening component in the chain was an extension called Software Access, which implemented bi-directional cookie manipulation:

It steals session cookies and uploads them
It also pulls stolen cookies from the attacker’s server and injects them directly into the browser

This leads to an extremely serious outcome:

Attackers may not need a username, password, or MFA code at all—they can directly hijack an authenticated session and take over accounts immediately.

For enterprises, this is especially effective at bypassing traditional defenses:

You may have MFA and strong passwords, but a hijacked session can still bypass them.

These extensions have reportedly been flagged to Google and removed, but the core lesson remains: “official stores” are not inherently safe.

Conclusion: Lower barriers for supply-chain attacks mean enterprises must widen the security boundary

This incident involved a modest number of installations, yet directly targeted HR/ERP core systems—proof that attackers are no longer only chasing traditional server vulnerabilities. Instead, they are shifting toward overlooked “toolchain” entry points: browser extensions, plugins, and session tokens.

For enterprises, real security is not “installing more tools,” but building a governable and auditable system that covers identity, sessions, endpoints, and SaaS access.

Sinokap will continue tracking global threat trends and providing end-to-end support—from endpoint management and identity/privilege governance to security monitoring and incident response—to help customers reduce supply-chain risk and strengthen business continuity.

Sinokap IT Security Training

In past projects, Sinokap successfully helped numerous corporate clients identify and eliminate phishing emails and malware. These case studies highlight our expertise in addressing information security threats:

1. Phishing Email Prevention

We regularly assist clients in identifying and dealing with several network attacks caused by employees mistakenly opening phishing emails. Through rapid response and blocking of malicious links, we ensure that company data remains secure. Additionally, we provide phishing email recognition training for employees to reduce the occurrence of similar incidents in the future.

2. Malware Removal Quick Guide

Sinokap helps companies quickly clean infected devices, restoring normal business operations. We also conduct regular security drills and training to raise employee awareness of various cyberattacks.

Not only have we helped clients effectively respond to urgent security issues, but we also provide long-term information security solutions. Sinokap’s IT outsourcing services and information security expert team are always by your side, ensuring the safety of your business data and operations.