Coordinated Chrome-extension campaign for enterprise account takeover
Campaign
Summary
Hide ▲
Show ▼
A coordinated Chrome-extension campaign has been uncovered that steals authentication cookies, blocks security administration pages, and enables complete account takeover across enterprise-platform users. The malicious add-ons impersonate Workday, NetSuite, and SuccessFactors tools to blend into normal business workflows. The operation matters because it can preserve access while preventing defenders from using standard remediation pages. Copies also remained available outside the main browser store, extending the reach of the campaign.
Related Happenings
Silent Swap browser-extension clipboard clipper
Malware Activity
H score36
First: 30.06.2026 18:40
Last: 30.06.2026 18:40
Sources 1
About this happening:
The **Silent Swap** malware activity now **installs malicious Chromium extensions** that intercept copied wallet addresses and **reroute cryptocurrency transfers** to attacker-con...
Silent Swap browser-extension clipboard clipper
Malware ActivityAbout this happening: The **Silent Swap** malware activity now **installs malicious Chromium extensions** that intercept copied wallet addresses and **reroute cryptocurrency transfers** to attacker-con...
Dormant remote-controlled JavaScript injection path in Adblock for YouTube Chrome extension
Technical Analysis
H score23
First: 25.06.2026 17:12
Last: 25.06.2026 17:12
Sources 1
About this happening:
A **Chrome extension** with **10 million+ installs** was found to carry a **dormant script-injection path**, raising the risk of **arbitrary JavaScript execution** across visited...
Dormant remote-controlled JavaScript injection path in Adblock for YouTube Chrome extension
Technical AnalysisAbout this happening: A **Chrome extension** with **10 million+ installs** was found to carry a **dormant script-injection path**, raising the risk of **arbitrary JavaScript execution** across visited...
Google Chrome DBSC rolls out session-cookie theft protection for all users
Security Tool/Service
H score10
First: 29.05.2026 15:08
Last: 29.05.2026 15:08
Sources 1
About this happening:
Google's **Chrome Device Bound Session Credentials (DBSC)** is now **generally available** and rolling out to **all users**, reducing the risk of **account takeovers** from stolen...
Google Chrome DBSC rolls out session-cookie theft protection for all users
Security Tool/ServiceAbout this happening: Google's **Chrome Device Bound Session Credentials (DBSC)** is now **generally available** and rolling out to **all users**, reducing the risk of **account takeovers** from stolen...
Chrome Web Store malicious extensions coordinated campaign using shared C2
Campaign
H score38
First: 14.04.2026 23:33
Last: 14.04.2026 23:33
Sources 1
About this happening:
A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
Chrome Web Store malicious extensions coordinated campaign using shared C2
CampaignAbout this happening: A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
108 Malicious Chrome extension campaign
Campaign
H score37
First: 14.04.2026 14:30
Last: 14.04.2026 14:30
Sources 1
About this happening:
A **large-scale campaign** of **108 malicious Chrome extensions** exposed roughly **20,000 users** to **session hijacking** and data theft through a shared **C2 infrastructure**.
108 Malicious Chrome extension campaign
CampaignAbout this happening: A **large-scale campaign** of **108 malicious Chrome extensions** exposed roughly **20,000 users** to **session hijacking** and data theft through a shared **C2 infrastructure**.
Timeline
-
16.01.2026 16:09 1 articles · 5mo ago
DataByCloud 1 and DataByCloud 2 first published
Untyped PhaseDataByCloud 1 and DataByCloud 2 were first published on August 18, 2021, becoming two of the malicious Google Chrome extensions later linked to enterprise account takeover activity.
Show sources
- Five Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts — thehackernews.com — 16.01.2026 16:09
-
16.01.2026 16:09 2 articles · 5mo ago
Researchers disclose five malicious Chrome extensions
Initial DisclosureSecurity researchers identified five malicious Google Chrome extensions impersonating Workday, NetSuite, and SuccessFactors tools to steal authentication cookies, block administrative pages, and enable session hijacking for victim accounts; most of the add-ons had been removed from the Chrome Web Store, while Software Access remained available and copies also appeared on third-party download sites such as Softonic.
Show sources
- Five Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts — thehackernews.com — 16.01.2026 16:09
- Five Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts — thehackernews.com — 16.01.2026 16:09