Malicious Chrome extensions hijack enterprise sessions
🔒 A cluster of five malicious Chrome extensions posed as productivity tools but exfiltrated session cookies to attacker-controlled infrastructure, enabling account takeover. Researchers from Socket.dev identified variants such as DataByCloud Access, Data By Cloud 1/2, Software Access and Tool Access 11 targeting HR and ERP platforms like Workday, NetSuite and SuccessFactors. Some extensions stole cookies as often as every 60 seconds and used cookie injection (e.g., chrome.cookies.set()) while others blocked admin security pages, hampering incident response.
