Cyber Pulse Academy

Latest News
Proactive Defense: Eclipse Foundation Mandates Pre-Publish Security Checks for Open VSX Extensions

Proactive Defense: Eclipse Foundation Mandates Pre-Publish Security Checks for Open VSX Extensions

CISA Flags Critical SolarWinds Web Help Desk RCE Bug Under Active Attack

CISA Flags Critical SolarWinds Web Help Desk RCE Bug Under Active Attack

DockerDash Vulnerability: Critical AI Flaw in Docker Desktop Enables Code Execution via Image Metadata

DockerDash Vulnerability: Critical AI Flaw in Docker Desktop Enables Code Execution via Image Metadata

When the Cloud Fails: Protecting Identity Systems from Widespread Outages

When the Cloud Fails: Protecting Identity Systems from Widespread Outages

Metro4Shell Under Fire: How Attackers Exploit CVE-2025-11953 in React Native Tooling

Metro4Shell Under Fire: How Attackers Exploit CVE-2025-11953 in React Native Tooling

APT28 Weaponizes Microsoft Office CVE-2026-21509: A Deep Dive into Operation Neusploit

APT28 Weaponizes Microsoft Office CVE-2026-21509: A Deep Dive into Operation Neusploit

Firefox’s One-Click AI Kill Switch: Master Your Generative AI Privacy

Firefox’s One-Click AI Kill Switch: Master Your Generative AI Privacy

Lotus Blossom’s Notepad++ Supply Chain Attack: A Deep Dive into the Chrysalis Backdoor

Lotus Blossom’s Notepad++ Supply Chain Attack: A Deep Dive into the Chrysalis Backdoor

341 Malicious ClawHub Skills Exposed in OpenClaw Supply Chain Attack

341 Malicious ClawHub Skills Exposed in OpenClaw Supply Chain Attack

Critical OpenClaw Remote Code Execution: One-Click Exploit Puts AI Assistants at Risk

Critical OpenClaw Remote Code Execution: One-Click Exploit Puts AI Assistants at Risk

NTLM Phase-Out: Microsoft’s 3-Stage Plan to Move Windows to Kerberos

NTLM Phase-Out: Microsoft’s 3-Stage Plan to Move Windows to Kerberos

Complete Mid-Market Threat Lifecycle Protection: A Beginner’s Blueprint to Outsmart Attackers

Complete Mid-Market Threat Lifecycle Protection: A Beginner’s Blueprint to Outsmart Attackers

Notepad++ Update Hijack: Critical Supply Chain Attack Exposed

Notepad++ Update Hijack: Critical Supply Chain Attack Exposed

eScan Update Server Breach: When Trusted Antivirus Updates Turn Into Malware

eScan Update Server Breach: When Trusted Antivirus Updates Turn Into Malware

Open VSX Supply Chain Attack: How a Compromised Dev Account Spread GlassWorm Malware to 22,000+ Users

Open VSX Supply Chain Attack: How a Compromised Dev Account Spread GlassWorm Malware to 22,000+ Users

Chainlit AI Framework Vulnerabilities Expose Data to File Read and SSRF Attacks

Chainlit AI Framework Vulnerabilities Expose Data to File Read and SSRF Attacks

AI-Assisted VoidLink Linux Malware Surpasses 88,000 Lines of Code

AI-Assisted VoidLink Linux Malware Surpasses 88,000 Lines of Code

LastPass Alerts Users to Fake Maintenance Scams After Master Passwords

LastPass Alerts Users to Fake Maintenance Scams After Master Passwords

CERT/CC warns binary-parser Bug Enables Node.js Privilege Escalation

CERT/CC warns binary-parser Bug Enables Node.js Privilege Escalation

Malicious VS Code Projects Used by North Korean Hackers to Target Developers

Malicious VS Code Projects Used by North Korean Hackers to Target Developers

Critical Vulnerabilities in Anthropic’s MCP Git Server Allow File Access and Code Execution

Critical Vulnerabilities in Anthropic’s MCP Git Server Allow File Access and Code Execution

LinkedIn Messages Deliver Malware Via DLL Sideloading

LinkedIn Messages Deliver Malware Via DLL Sideloading

The Unseen Danger of Abandoned Accounts

The Unseen Danger of Abandoned Accounts

VS Code Extensions Exploited by Evelyn Stealer for Data Theft

VS Code Extensions Exploited by Evelyn Stealer for Data Theft

Cloudflare Patches ACME Bug That Permitted WAF Bypass

Cloudflare Patches ACME Bug That Permitted WAF Bypass

Why JavaScript Bundles Continue to Leak Undiscovered Secrets

Why JavaScript Bundles Continue to Leak Undiscovered Secrets

Tudou Guarantee Halts Telegram Transactions, Having Handled More Than $12 Billion.

Tudou Guarantee Halts Telegram Transactions, Having Handled More Than $12 Billion.

Security Flaw in Google Gemini Allowed Access to Private Calendars via Fake Invites

Security Flaw in Google Gemini Allowed Access to Private Calendars via Fake Invites

The Hidden Toll of Cloud Downtime

The Hidden Toll of Cloud Downtime

StackWarp Flaw Bypasses AMD SEV-SNP on Zen 1–5 CPUs

StackWarp Flaw Bypasses AMD SEV-SNP on Zen 1–5 CPUs

Malicious Chrome extension spreads ModeloRAT via fake crash lures.

Malicious Chrome extension spreads ModeloRAT via fake crash lures.

StealC Panel Flaw Let Researchers Monitor Hackers

StealC Panel Flaw Let Researchers Monitor Hackers

Ransomware Leader Hunted Internationally via EU, INTERPOL Alerts

Ransomware Leader Hunted Internationally via EU, INTERPOL Alerts

OpenAI introduces ads for free U.S. ChatGPT users

OpenAI introduces ads for free U.S. ChatGPT users

GootLoader evades detection with hundreds of nested ZIP files.

GootLoader evades detection with hundreds of nested ZIP files.

Malicious Chrome Extensions Pose as Workday, NetSuite to Hijack Accounts

Malicious Chrome Extensions Pose as Workday, NetSuite to Hijack Accounts

Your Online Traces Can Reveal Your Home Address

Your Online Traces Can Reveal Your Home Address

LOTUSLITE Backdoor Targets U.S. Policy Groups with Venezuela-Themed Phishing

LOTUSLITE Backdoor Targets U.S. Policy Groups with Venezuela-Themed Phishing

China-Linked APT Breaches Critical Infrastructure via Sitecore Zero-Day

China-Linked APT Breaches Critical Infrastructure via Sitecore Zero-Day

China-Linked APT Exploits Cisco Zero-Day, Patched in Email Gateways

China-Linked APT Exploits Cisco Zero-Day, Patched in Email Gateways

AWS CodeBuild Misconfiguration Could Have Led to GitHub Supply Chain Attacks

AWS CodeBuild Misconfiguration Could Have Led to GitHub Supply Chain Attacks

Critical WordPress Modularity Plugin Under Active Attack for Full Site Takeover

Critical WordPress Modularity Plugin Under Active Attack for Full Site Takeover

Reprompt Attack Enables Single-Click Data Theft from Microsoft Copilot

Reprompt Attack Enables Single-Click Data Theft from Microsoft Copilot

Workflow Security, Not Model Security, Is the Critical Risk

Workflow Security, Not Model Security, Is the Critical Risk

Four Obsolete SOC Practices Increasing MTTR in 2026

Four Obsolete SOC Practices Increasing MTTR in 2026

Microsoft Takedown Dismantles RedVDS Criminal Network for Online Fraud

Microsoft Takedown Dismantles RedVDS Criminal Network for Online Fraud

Palo Alto Patches Critical DoS Flaw in GlobalProtect That Crashes Firewalls Pre-Authentication

Palo Alto Patches Critical DoS Flaw in GlobalProtect That Crashes Firewalls Pre-Authentication

Researchers Sinkhole Over 550 Kimwolf and Aisuru Botnet C2 Servers

Researchers Sinkhole Over 550 Kimwolf and Aisuru Botnet C2 Servers

AI Agents Emerge as New Authorization Bypass Threat

AI Agents Emerge as New Authorization Bypass Threat

Attackers Abuse c-ares DLL Side-Loading Vulnerability to Evade Defenses and Deploy Malware

Attackers Abuse c-ares DLL Side-Loading Vulnerability to Evade Defenses and Deploy Malware

Log In
Sign-Up

    End of Content.

    Chrome Extension Supply Chain Attack

    How Fake HR Tools Hijack Your Accounts Explained Simply

    Table of Contents

    Executive Summary: The Anatomy of a Browser-Based Breach

    In January 2026, cybersecurity researchers uncovered a coordinated supply chain attack leveraging five malicious Google Chrome extensions. These extensions posed as legitimate productivity tools for major enterprise platforms like Workday, NetSuite, and SuccessFactors, collectively amassing over 2,300 installs from the official Chrome Web Store before their removal.


    This attack represents a significant evolution in browser-based threats, moving beyond simple adware to a multi-faceted campaign designed for persistent credential theft, defensive evasion, and complete account takeover. The operators employed a chillingly effective strategy: compromise the user at the browser level, the gateway to their most sensitive SaaS applications.


    Unlike traditional malware, these extensions operated with the permissions granted by the user, making them difficult for standard antivirus software to flag. Their primary goal was to steal authentication cookies and session tokens, enabling hackers to bypass multi-factor authentication (MFA) and seamlessly hijack user sessions on critical business platforms. This breach vector is particularly dangerous because it targets the weak link in cloud security: the endpoint's browser.


    White Label 00e9ed14 69 1

    The Attack Breakdown: A Step-by-Step Technical Analysis

    Let's dissect exactly how this Chrome extension supply chain attack unfolded. The threat actors executed a multi-phase operation with surgical precision, exploiting the inherent trust users place in the browser extension ecosystem.


    Phase 1: Infiltration & Impersonation

    The attack began with social engineering. The malicious extensions, published under publisher names like "databycloud1104," were advertised as helpful tools for accessing premium features on Workday, NetSuite, and SuccessFactors, platforms used daily by millions for HR, finance, and ERP tasks.


    • Names & Identifiers: Extensions used benign names like "DataByCloud Access," "Tool Access 11," and "Software Access."
    • Permission Request: Upon installation, they requested broad permissions including cookies, management, scripting, and access to data on specific enterprise domains. This is a critical red flag often overlooked by users.
    • Initial Footprint: Although install counts were moderate, the targeting was specific, users searching for productivity enhancements for critical business software.

    Phase 2: The Dual-Pronged Malicious Payload

    Once installed, the extensions activated two primary, intertwined malicious functions: credential theft and defensive sabotage.


    Step 1: Continuous Cookie Exfiltration

    The core malicious function was executed by the DataByCloud Access extension. It used the chrome.cookies API to collect authentication cookies for predefined enterprise domains. A background script ran every 60 seconds, sending stolen cookies to the command-and-control (C2) server at api.databycloud[.]com.


    Technical Insight: Authentication cookies, especially session tokens, are gold for attackers. They often contain all the necessary information for a server to recognize a user as "logged in," potentially bypassing passwords and even some forms of MFA if the session is still active.

    Step 2: Surgical Defense Evasion via DOM Manipulation

    To prevent the victim from detecting or remediating the breach, extensions like Tool Access 11 implemented a cunning defense evasion technique. They maintained a blocklist of 44+ specific administrative page titles within Workday (e.g., "/security/authentication," "/proxy/configuration").


    When a user navigated to one of these pages, the extension used JavaScript to manipulate the Document Object Model (DOM), either clearing the page content or redirecting to a malformed URL. This blocked access to security settings, password change interfaces, 2FA management, and audit logs, effectively crippling the victim's ability to respond.

    Step 3: Active Session Hijacking

    The most advanced capability was found in the Software Access extension. It didn't just steal cookies; it could also receive stolen cookies from its C2 server and inject them directly into the browser's cookie store using chrome.cookies.set().


    This function allowed the threat actor to perform a live session hijacking. They could take a stolen session token from a victim, inject it into their own controlled browser, and instantly gain access to the victim's account without needing a username, password, or 2FA code.

    Mapping to MITRE ATT&CK: The Adversary's Playbook

    The Chrome extension supply chain attack is a textbook example of how threat actors combine multiple techniques into a powerful sequence. The MITRE ATT&CK framework helps us deconstruct their methodology.


    The following table maps the observed malicious activities to specific MITRE ATT&CK Techniques and Tactics, providing a common language for defenders to understand and counter the threat.


    MITRE ATT&CK Tactic Technique ID & Name How It Was Used in This Attack
    Initial Access T1475: Deliver Malicious App via Authorized Repository The malicious extensions were uploaded to the official Chrome Web Store, exploiting user trust in the platform.
    Persistence T1176: Browser Extensions The extensions established persistence by installing themselves as legitimate-looking Chrome add-ons with background service workers.
    Credential Access T1539: Steal Web Session Cookie The primary attack vector. Used the chrome.cookies API to exfiltrate authentication cookies every 60 seconds.
    Defense Evasion T1562.001: Disable or Modify Tools (Block Security Pages) Actively monitored and manipulated the DOM to block access to security administration pages within Workday/NetSuite.
    Defense Evasion T1622: Debugger Evasion (Disable DevTools) Some extensions used the DisableDevtool library to obstruct analysis via browser developer tools.
    Collection T1119: Automated Collection Scripted, automated collection of cookies from specified domains on a scheduled basis.
    Command and Control T1071.001: Application Layer Protocol (Web Protocols) Communicated with C2 servers (api.databycloud[.]com) over HTTPS, blending in with normal web traffic.

    Understanding this mapping is crucial for Security Operations Centers (SOCs). It allows them to craft detection rules (e.g., for unusual cookie access patterns by extensions or DOM manipulation on security pages) and align their incident response playbooks to a known adversary framework.

    Red Team vs. Blue Team: Perspectives on the Attack

    This Chrome extension supply chain attack offers valuable lessons from both offensive (Red Team) and defensive (Blue Team) viewpoints. Let's break down the strategies and counter-strategies.


    The Red Team (Threat Actor) Perspective

    Objective: Gain persistent, undetected access to corporate SaaS accounts to steal data, conduct espionage, or enable financial fraud.


    Why This Vector is Effective:

    • High Trust, Low Scrutiny: Extensions from the official Web Store are often trusted by both users and security software.
    • Bypasses Network Defenses: The attack operates entirely within the browser and its sanctioned APIs, evading network intrusion detection systems (NIDS).
    • Persistence: Extensions auto-update and run in the background, providing a stable foothold.
    • Direct Credential Access: Stealing session cookies is more reliable than phishing for passwords, as it often bypasses MFA.

    Exploited Weaknesses: User propensity to install "helpful" tools without reviewing permissions; lack of enterprise-level browser extension management; the difficulty of monitoring extension behavior at scale.

    The Blue Team (Defender) Perspective

    Objective: Detect, prevent, and respond to browser extension-based threats to protect organizational data and user accounts.


    Key Challenges & Solutions:

    • Visibility Gap: Standard EDR tools may not deeply monitor browser extension behavior. Solution: Implement dedicated browser security solutions or use Chrome's enterprise policies for granular logging.
    • Detection Difficulty: Malicious API calls look similar to legitimate ones. Solution: Baseline normal extension behavior and alert on anomalies (e.g., an extension accessing cookies for domains not in its manifest).
    • Response Hurdles: The attack actively blocks remediation. Solution: Have out-of-band response plans, such as using mobile device management (MDM) to force-remove extensions or reset passwords via a separate admin account.

    Core Strategy: Shift from mere detection to resilience. Assume some extensions will be malicious and limit the damage they can do via strict permission controls and session timeouts.

    Proactive Defense Framework: Securing Your Browser Ecosystem

    Defending against sophisticated Chrome extension supply chain attacks requires a layered approach, combining technology, policy, and user education. Here is a actionable framework for individuals and enterprises.


    For Individual Users & Security-Conscious Professionals

    • Audit Your Extensions Regularly: Go to chrome://extensions/. Remove any you don't recognize or use. Check permission lists, does a "color picker" need to "read and change all your data on all websites"?
    • Implement the Principle of Least Privilege: When installing an extension, critically review the permissions it requests. Look for alternatives that require fewer permissions.
    • Use Dedicated Browsers or Profiles: Use one secure browser (with minimal extensions) for sensitive tasks like banking and work email, and a different one for general browsing.
    • Enable Enhanced Safe Browsing: In Chrome settings, turn on Enhanced Safe Browsing for proactive threat detection.

    For Enterprise IT & Security Teams

    Enterprise defense requires centralized control and visibility. Google Chrome provides powerful enterprise policies through the Chrome Browser Cloud Management console or Group Policy.


    • Enforce an Extension Allowlist: The most effective control. Block all extensions by default and only allow vetted, business-necessary ones from the Chrome Web Store. Use the ExtensionInstallAllowlist policy.
    • Block Permissions at Scale: Use the ExtensionInstallBlock policy to block high-risk permissions (e.g., declarativeNetRequest, broad host permissions like ) or specific extension IDs from the malicious list.
    • Monitor Extension Activity: Leverage Chrome Enterprise logs sent to your SIEM (like Google Chronicle, Splunk) to track extension installation events and permission changes.
    • Implement Short Session Timeouts: On critical SaaS applications (Workday, NetSuite), work with vendors to enforce shorter session lifetimes. This reduces the window of usability for a stolen session cookie.
    • User Education Campaigns: Regularly train employees on the risks of unvetted browser extensions and establish a clear process for requesting business-necessary tools.

    White Label 5068585c 69 2

    Frequently Asked Questions (FAQ)

    Q1: I think I might have installed one of these extensions. What should I do right now?

    Immediate Action Plan: 1) Go to chrome://extensions/ and remove any suspicious extensions. 2) For any potentially compromised accounts (Workday, NetSuite, etc.), immediately log out of all sessions (if the interface is accessible) and change your password. 3) Enable or re-configure Multi-Factor Authentication (MFA) on those accounts. 4) Monitor account activity logs for any access from unfamiliar locations or devices.

    Q2: How can a malicious extension bypass Multi-Factor Authentication (MFA)?

    This is a critical point. Many MFA methods, like Time-based One-Time Passwords (TOTP), only protect the initial login. Once a user is authenticated, the server creates a session cookie. If a malware extension steals that cookie, the attacker presents it to the server, which sees it as a valid, already-logged-in session. This is why phishing-resistant MFA (like WebAuthn/FIDO2 security keys) and shorter session timeouts are important for high-value accounts.

    Q3: Are other browsers (Firefox, Edge, Safari) vulnerable to similar attacks?

    Yes, the threat model is similar across all major browsers that support extensions. Each has its own extension store and permission model. The core risk, users installing malicious code that runs with high privileges in their browser, is universal. The defense principles (allowlisting, least privilege, monitoring) apply equally. Microsoft Edge, for example, also supports comprehensive enterprise management via its policies.

    Q4: Where can I learn more about browser security and extension analysis?

    Here are excellent, up-to-date external resources:

    Key Takeaways & Conclusion

    1. The Browser is the New Battleground: As core business functions move to SaaS, the browser holding the session keys becomes the primary target. Supply chain attacks via extensions are a potent, stealthy method to compromise it.


    2. Cookie Theft = Account Takeover: Stolen session cookies often provide attackers with more power than stolen passwords, as they can negate MFA. Protecting these tokens is paramount.


    3. Defense Requires a New Mindset: You cannot rely on the extension store's curation alone. Enterprises must adopt a "zero-trust" approach to extensions: verify explicitly, allowlist strictly, and monitor constantly.


    4. Response Must Be Multi-Channel: When an attacker can block security pages, your incident response plan must include out-of-band actions, such as using MDM tools or alternate admin consoles to revoke access.


    The discovery of these five malicious extensions is a stark reminder that our digital toolkits can be turned against us. By understanding the technical attack vectors, mapping them to established frameworks like MITRE ATT&CK, and implementing a layered defense strategy, both individuals and organizations can significantly harden their browsers against these evolving threats. Stay vigilant, audit your extensions, and prioritize security over convenience.

    Ready to Secure Your Browser Environment?

    Start your defense today. Audit your personal browser extensions right now, and if you're responsible for an organization, review your Chrome management policies.


    Share this knowledge with your colleagues to help build a more secure community.

    © 2026 Cyber Pulse Academy. This content is provided for educational purposes only.

    Always consult with security professionals for organization-specific guidance.

    Leave a Comment

    Your email address will not be published. Required fields are marked *

    Ask ChatGPT
    Set ChatGPT API key
    Find your Secret API key in your ChatGPT User settings and paste it here to connect ChatGPT with your Courses LMS website.

    Accelerate Cyber Pulse Academy

    Join us in revolutionizing cybersecurity education.
    Your contribution directly funds:
    Certification Courses
    Hands-On Labs
    Threat Intelligence
    Latest Cyber News
    MITRE ATT&CK Breakdown
    All Cyber Keywords

    Every contribution moves us closer to our goal: making world-class cybersecurity education accessible to ALL.

    Choose the amount of donation by yourself.

    Every contribution helps us deliver better cybersecurity education, faster