Malicious Chrome extensions hijack Workday, NetSuite, and SuccessFactors sessions
Malware Activity
Summary
Hide ▲
Show ▼
Five malicious Google Chrome extensions are impersonating Workday, NetSuite, and SuccessFactors to steal credentials and hijack victim sessions, creating immediate account takeover risk. The extensions steal authentication tokens, block security and incident-response pages, and can inject stolen cookies to take control of accounts. Most of the add-ons were removed from the Chrome Web Store, but some remain available on third-party download sites. Two of the extensions were first published in August 2021, showing the operation has persisted over time.
Related Happenings
Search for perplexity ai malicious Chrome extension
Malware Activity
H score29
First: 29.06.2026 21:40
Last: 29.06.2026 21:40
Sources 1
About this happening:
A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...
Search for perplexity ai malicious Chrome extension
Malware ActivityAbout this happening: A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...
StegoAd malicious Edge extension operation
Malware Activity
H score19
First: 29.06.2026 11:32
Last: 29.06.2026 11:32
Sources 1
About this happening:
The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
StegoAd malicious Edge extension operation
Malware ActivityAbout this happening: The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
Dormant remote-controlled JavaScript injection path in Adblock for YouTube Chrome extension
Technical Analysis
H score23
First: 25.06.2026 17:12
Last: 25.06.2026 17:12
Sources 1
About this happening:
A **Chrome extension** with **10 million+ installs** was found to carry a **dormant script-injection path**, raising the risk of **arbitrary JavaScript execution** across visited...
Dormant remote-controlled JavaScript injection path in Adblock for YouTube Chrome extension
Technical AnalysisAbout this happening: A **Chrome extension** with **10 million+ installs** was found to carry a **dormant script-injection path**, raising the risk of **arbitrary JavaScript execution** across visited...
Chrome extension PUP distribution network with fake organic traffic
Malware Activity
H score18
First: 15.06.2026 14:07
Last: 15.06.2026 14:07
Sources 1
About this happening:
A network of **152 Google Chrome extensions** is distributing a **potentially unwanted program (PUP) family** through new-tab live-wallpaper add-ons, creating a broad browser-base...
Chrome extension PUP distribution network with fake organic traffic
Malware ActivityAbout this happening: A network of **152 Google Chrome extensions** is distributing a **potentially unwanted program (PUP) family** through new-tab live-wallpaper add-ons, creating a broad browser-base...
Google Chrome DBSC rolls out session-cookie theft protection for all users
Security Tool/Service
H score10
First: 29.05.2026 15:08
Last: 29.05.2026 15:08
Sources 1
About this happening:
Google's **Chrome Device Bound Session Credentials (DBSC)** is now **generally available** and rolling out to **all users**, reducing the risk of **account takeovers** from stolen...
Google Chrome DBSC rolls out session-cookie theft protection for all users
Security Tool/ServiceAbout this happening: Google's **Chrome Device Bound Session Credentials (DBSC)** is now **generally available** and rolling out to **all users**, reducing the risk of **account takeovers** from stolen...
Timeline
-
16.01.2026 16:09 1 articles · 5mo ago
Malicious DataByCloud 1 and DataByCloud 2 first published
Campaign Scope UpdateMalicious Google Chrome extensions DataByCloud 1 and DataByCloud 2 were first published on August 18, 2021 as part of an extension set that impersonates Workday, NetSuite, and SuccessFactors tools to harvest authentication data and support account takeover.
Show sources
- Five Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts — thehackernews.com — 16.01.2026 16:09
-
16.01.2026 16:09 2 articles · 5mo ago
Researchers disclose five malicious Chrome extensions impersonating Workday and NetSuite
Initial DisclosureResearchers identified five malicious Google Chrome extensions masquerading as Workday, NetSuite, and SuccessFactors tools to steal authentication cookies and tokens, block security administration pages, and enable session hijacking for complete account takeover; most were removed from the Chrome Web Store, while some remained on third-party download sites such as Softonic.
Show sources
- Five Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts — thehackernews.com — 16.01.2026 16:09
- Malicious Google Chrome Extensions Hijack Workday and Netsuite — www.infosecurity-magazine.com — 19.01.2026 14:30