Search
Breaking
Latest technical intelligence from Northeast India • Infrastructure, AI, Cloud & Security Analysis • Precision Analysis | Raw Intelligence | Your North Star of Tech • Latest technical intelligence from Northeast India • Infrastructure, AI, Cloud & Security Analysis
SECURITY

Analysis: Credential-stealing Chrome extensions target enterprise HR platforms

👤 By Connect Quest Analyst via Connect Quest Artist
📅 18-01-2026 07:27
Analytical - Independent Analysis
⏱️ 3 min read
Analysis: Credential-stealing Chrome extensions target enterprise HR platforms Image: Stock - Security
Credential-Stealing Chrome Extensions Target Enterprise HR Platforms: Implications for North East India

Credential-Stealing Chrome Extensions Target Enterprise HR Platforms: A Threat to North East India's Businesses

Malicious Extensions Disguised as Productivity Tools

Cybersecurity firm Socket has discovered a campaign involving malicious Chrome extensions, masquerading as productivity and security tools for enterprise HR and ERP platforms. These extensions were found to be stealing authentication credentials or blocking management pages used to respond to security incidents.

The campaign, affecting over 2,300 users, deploys three distinct attack types: cookie exfiltration, DOM manipulation, and bidirectional cookie injection for direct session hijacking.

Targeted Enterprise Platforms and Coordinated Operation

Despite appearing as separate publishers, the extensions share identical infrastructure, code patterns, and targeting, indicating a coordinated operation. They were published under different names but were found to share the same developer name (databycloud1104) in four cases, while the fifth used different branding under the name Software Access.

Implications for North East India

The theft of enterprise credentials could fuel large-scale ransomware and data theft attacks, posing a significant threat to businesses in North East India, particularly those using Workday, NetSuite, or SAP SuccessFactors.

Given the region's growing economic integration with the rest of India and the world, it is crucial for businesses to prioritize cybersecurity measures to protect their sensitive data.

Analysis of the Extensions' Malicious Behavior

Socket's analysis found that the extensions used a mix of malicious behavior, including authentication cookie exfiltration, administrative page blocking, and session hijacking via cookie injection.

  • Authentication cookie exfiltration: The extensions continuously extracted authentication cookies named "__session" for a targeted domain, containing active login tokens for Workday, NetSuite, and SuccessFactors.
  • Administrative page blocking: Two extensions, Tool Access 11 and Data By Cloud 2, blocked access to security and incident response pages within Workday, preventing legitimate administrators from responding to security incidents.
  • Bidirectional cookie manipulation: The Software Access extension, in addition to stealing session tokens, also included a feature that allows bidirectional cookie manipulation, enabling immediate account takeover across targeted enterprise platforms.

Recommendations for Affected Users

Anyone who was using these extensions should report them to their security admins for further incident response and change their passwords on the targeted platforms.

Conclusion

The discovery of these credential-stealing Chrome extensions serves as a reminder of the ever-evolving threats in the cybersecurity landscape. As businesses in North East India continue to grow and integrate with the global economy, it is essential to prioritize cybersecurity measures to protect sensitive data.

Tags:
security analysis northeast original

Executive Summary & Legal Disclaimer

This artifact constitutes a concise, Connect Quest Artist–generated executive abstraction derived exclusively from publicly available source information and intentionally synthesized to establish high-confidence strategic alignment, enterprise value-creation clarity, and cohesive multi-stakeholder narrative directionality. The content represents a deliberately curated, insight-driven aggregation of externally observable data signals, disclosures, and contextual inputs, structured to meaningfully inform strategic orientation, illuminate cross-functional synergies, and provide directional clarity aligned to a clearly articulated strategic north star, while maintaining sufficient abstraction to preserve executive relevance.

Notwithstanding the foregoing, this summary, within and without any interpretive, contextual, methodological, temporal, or execution-adjacent framing, shall not be construed, inferred, abstracted, operationalized, re-operationalized, meta-operationalized, relied upon, misrelied upon, or otherwise positioned as constituting, approximating, signaling, enabling, proxying, or anti-proxying any form of authoritative, determinative, execution-capable, reliance-eligible, or reliance-adjacent legal, financial, regulatory, technical, or operational guidance, nor as a prerequisite, dependency, antecedent, consequence, causal input, non-causal input, or post-causal artifact for implementation, execution, non-execution, enforcement, non-enforcement, or decision realization, non-realization, or deferred realization across any conceivable, inconceivable, implied, emergent, or self-negating governance, control, delivery, or interpretive construct whatsoever.

Content Manager: Connect Quest Analyst | Written by: Connect Quest Artist