Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Malicious Chrome extensions hijack Workday, NetSuite, and SuccessFactors sessions

Malware Activity
First reported
Last updated
Happening score
H score 33
2 unique sources, 2 articles

Summary

Hide ▲

Five malicious Google Chrome extensions are impersonating Workday, NetSuite, and SuccessFactors to steal credentials and hijack victim sessions, creating immediate account takeover risk. The extensions steal authentication tokens, block security and incident-response pages, and can inject stolen cookies to take control of accounts. Most of the add-ons were removed from the Chrome Web Store, but some remain available on third-party download sites. Two of the extensions were first published in August 2021, showing the operation has persisted over time.

Related Happenings

Chrome Web Store malicious extensions coordinated campaign using shared C2

Campaign
First: 14.04.2026 23:33 Last: 14.04.2026 23:33 Sources 1

About this happening: A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...

Open Happening

108 Malicious Chrome extension campaign

Campaign
First: 14.04.2026 14:30 Last: 14.04.2026 14:30 Sources 1

About this happening: A **large-scale campaign** of **108 malicious Chrome extensions** exposed roughly **20,000 users** to **session hijacking** and data theft through a shared **C2 infrastructure**.

Open Happening

108 Malicious Google Chrome extensions sharing a C2 backend

Malware Activity
First: 14.04.2026 11:35 Last: 14.04.2026 11:35 Sources 1

About this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...

Open Happening

Google Chrome 146 adds Device Bound Session Credentials to block session-cookie theft

Security Tool/Service
First: 09.04.2026 21:33 Last: 09.04.2026 21:33 Sources 1

About this happening: Google has rolled out **Device Bound Session Credentials (DBSC)** in **Chrome 146 for Windows**, binding sessions to device hardware to blunt **infostealer malware** that steals s...

Open Happening

Legitimate-looking Chrome extension prompt-poaching campaign

Campaign
First: 25.03.2026 13:00 Last: 25.03.2026 13:00 Sources 1

About this happening: A recurring **Chrome extension** campaign is stealing **AI conversations** from users, exposing prompts, answers, and other sensitive content to attacker-controlled servers. The a...

Open Happening

Timeline

  1. 16.01.2026 16:09 1 articles · 4mo ago

    Malicious DataByCloud 1 and DataByCloud 2 first published

    Campaign Scope Update

    Malicious Google Chrome extensions DataByCloud 1 and DataByCloud 2 were first published on August 18, 2021 as part of an extension set that impersonates Workday, NetSuite, and SuccessFactors tools to harvest authentication data and support account takeover.

    Show sources
    Open in new tab
  2. 16.01.2026 16:09 2 articles · 4mo ago

    Researchers disclose five malicious Chrome extensions impersonating Workday and NetSuite

    Initial Disclosure

    Researchers identified five malicious Google Chrome extensions masquerading as Workday, NetSuite, and SuccessFactors tools to steal authentication cookies and tokens, block security administration pages, and enable session hijacking for complete account takeover; most were removed from the Chrome Web Store, while some remained on third-party download sites such as Softonic.

    Show sources
    Open in new tab