Install counts suggest over 2300 users were tricked into deploying these tools before researchers alerted Google’s security teams and filed takedown requests. The extensions target systems like Workday, NetSuite, and SuccessFactors, where a single hijacked session can expose employee records, financial data, and internal workflows.
Disguised productivity tools with malicious codes
Each extension in the cluster posed as a productivity enhancer or security helper for enterprise users. Listings featured polished dashboards and promises of streamlined access to HR or ERP tools. Permissions requested were “standard,” seemingly benign functions such as cookie access or page modification.
Once installed, however, three of the extensions, including DataByCloud Access, Data By Cloud 1, and a variant simply called Software Access, exfiltrated session cookies containing authentication tokens to attacker-controlled infrastructure. These tokens are, in many enterprise systems, enough to authenticate a user without a password. In some cases, those cookies were extracted every 60 seconds to ensure up-to-date credentials.
