Sinokap
Menu
Get In Touch
January 29, 2026

Malicious Chrome Extensions Target Workday and ERP Systems

E-Mail:

consulting@sinokap.com
Site Link:

https://it-support-china.com/
Share:
Youtube Weixin Bilibili

Recently, cybersecurity company Socket disclosed a highly concerning attack campaign targeting enterprises. Attackers distributed malicious browser extensions through the Chrome Web Store, disguising them as “productivity tools” or “security enhancement utilities.” Their primary targets were widely used HR and ERP platforms, including Workday, NetSuite, and SAP SuccessFactors.

At first glance, the campaign appeared limited in scope, with only around 2,300 installations. However, the risk was significant and highly asymmetric: the attackers were not stealing ordinary user credentials, but active authenticated sessions and administrative-level access to critical enterprise systems. Once attackers gain access to HR or ERP platforms, the consequences can escalate rapidly—ranging from large-scale data theft and financial fraud to serving as an entry point for ransomware operations.

What Happened? Five Malicious Extensions Acting in Coordination

Socket identified five malicious Chrome extensions specifically targeting Workday, NetSuite, and SAP SuccessFactors. Although these extensions were published under different developer identities, they shared the same infrastructure, code patterns, and objectives—strongly indicating a coordinated attack campaign.

The capabilities of these extensions can be grouped into three highly destructive categories:

  • Exfiltrating authentication cookies (session tokens)

  • Blocking or disabling security administration pages to prevent incident response

  • Bi-directional cookie injection enabling direct session hijacking (the most dangerous technique)

The Core Technique: Stealing Cookies Is More Dangerous Than Stealing Passwords

The Core Technique: Stealing Cookies Is More Dangerous Than Stealing Passwords

Two of the most notable extensions in this campaign were Data By Cloud 2 and Tool Access 11. They were marketed as “bulk management tools” or “enhanced security controls,” making them appear legitimate and attractive to enterprise users. Once installed, these extensions continuously extracted an authentication cookie named “__session”, which contains a valid login token for the targeted platforms. The stolen cookie was then transmitted to the attackers’ command-and-control (C2) server every 60 seconds.

This means attackers did not obtain “username + password,” but rather a fully authenticated session. In many enterprise systems, as long as the session remains valid, attackers can operate without triggering obvious authentication alerts or re-login challenges.

A More Subtle Tactic: Blocking Security Admin Interfaces

Even more alarming, these malicious extensions did not stop at data theft—they actively prevented administrators from responding to security incidents.

  • Tool Access 11 targeted approximately 44 administrative pages

  • Data By Cloud 2 expanded coverage to around 56 administrative pages

These blocked pages typically included the most critical security controls, such as:

  • Authentication and password policies

  • MFA device management

  • Security audit logs

  • Privilege and access configuration

The attack technique itself was simple yet effective: the extension detected page titles and then either cleared page content, blocked loading, or redirected the user. To administrators, this appeared as a system malfunction, when in reality it was intentional interference by malicious scripts.

In short: the attacker was not only stealing the keys, but also disabling the alarm system.

The Most Dangerous Stage: Bi-Directional Cookie Injection and Instant Account Takeover

The most severe threat in this campaign came from an extension called Software Access, which implemented bi-directional cookie manipulation:

  • On one side, it stole session cookies and uploaded them to the attacker’s server

  • On the other, it received stolen cookies from the server and directly injected them into the victim’s browser

This enabled a critical outcome:
attackers could hijack authenticated sessions without requiring usernames, passwords, or MFA codes, achieving immediate account takeover.

For enterprises, this technique is particularly dangerous because it bypasses traditional defenses. Even organizations with strong passwords and MFA protections remain vulnerable if session integrity is compromised.

Although the malicious extensions have since been reported to Google and removed from the Chrome Web Store, the underlying lesson remains clear:
“Official app stores” do not guarantee absolute security.

What Should Enterprises Do? Expanding the Security Perimeter to Browser Extensions

This incident highlights a growing reality: supply chain attacks are becoming increasingly “everyday.” Browser extensions, SaaS plugins, and lightweight tools can all serve as entry points into core enterprise systems.

Enterprises should consider the following actions:

  • Treat browser extensions as part of the enterprise security boundary

  • Enforce extension allowlists and restrict unauthorized installations

  • Apply stricter monitoring to sessions accessing HR, ERP, and financial systems

  • Investigate any unexplained inability to access security administration pages as a potential security incident

Conclusion: Lower Barriers for Supply Chain Attacks Mean Stronger Security Boundaries Are Required

Despite its relatively small installation base, this campaign directly targeted core HR and ERP systems, demonstrating that attackers are shifting away from traditional server vulnerabilities toward more easily overlooked elements of the enterprise toolchain—such as browser extensions, plugins, and session tokens.

For enterprises, real security does not come from deploying more tools alone. It requires bringing identity, sessions, endpoints, and SaaS access under a governable, auditable security framework. In past projects, Sinokap successfully helped numerous corporate clients identify and eliminate phishing emails and malware. These case studies highlight our expertise in addressing information security threats:

If you have any questions regarding corporate network security or IT support, feel free to contact us to learn more about our professional IT outsourcing services.

Table of Contents

What We Provide
IT Outsourcing Service
Managed IT Service
IT Infrastructure Services
Office Move & Relocation
Network Optimization
VPN Service Support
Data Recovery & Erase
Server Management
Sinokap Tags
ChatGPT Chrome Cisco DNS Employee Training Free Tools IT Solution KDB Microsoft Network News OneDrive OneNote Online Meeting Outlook PC PDF XChange Editor Remote Work SharePoint Teams Technology Troubleshooting WeChat Windows Work Efficiency
How can we help you?

Call Us, Write Us, Or Knock On Our Door. We are here to help. Thanks for contacting us!

 

Contact Us
Recent Posts

Discover more from Sinokap

Subscribe now to keep reading and get access to the full archive.

Continue reading