Cybersecurity researchers, primarily from Socket's Threat Research Team, have uncovered a sophisticated and coordinated campaign involving five malicious Google Chrome extensions. These extensions are specifically designed to target widely used enterprise Human Resources (HR) and Enterprise Resource Planning (ERP) platforms, including Workday, NetSuite, and SAP SuccessFactors. The primary objective of these extensions is to achieve full account takeover by stealing authentication tokens, preventing incident response actions, and facilitating session hijacking. The identified extensions are DataByCloud Access, Tool Access 11, DataByCloud 1, DataByCloud 2, and Software Access. While four of these were published under the developer name 'databycloud1104', and the fifth under 'softwareaccess', forensic analysis indicates they share identical infrastructure patterns, confirming a single, coordinated attack operation. They masquerade as legitimate productivity tools, promising streamlined access and multi-account management for enterprise users. Collectively, these malicious add-ons had been installed by over 2,300 users before their discovery. Their attack mechanisms are multi-faceted, involving the exfiltration of session cookies to attacker-controlled servers, manipulation of the Document Object Model (DOM) to block access to security and administrative pages within the targeted platforms, and bidirectional cookie injection for direct session hijacking. This enables attackers to bypass multi-factor authentication and maintain persistent access. Although most of these extensions have now been removed from the Chrome Web Store, they might still be accessible on various third-party software download websites. Users are strongly advised to remove any matching extensions, reset passwords from secure systems, and review authentication logs for suspicious activity.