Cyware Daily Threat Intelligence, January 19, 2026

Corporate employees are being targeted by a sophisticated identity theft ring hiding behind the tools they use for work every day. Five malicious Chrome extensions have been discovered impersonating major HR and ERP platforms like Workday and NetSuite to hijack user accounts.

A massive ad fraud operation has been hiding in plain sight, or rather, inside the logos of the browser extensions we trust. The GhostPoster campaign has amassed over 840,000 installations across Chrome, Firefox, and Edge by concealing malicious JavaScript within image files.

In a rare twist of poetic justice, security researchers have hacked the hackers. By exploiting an XSS vulnerability in the control panel of the StealC malware, analysts were able to spy on the cybercriminals themselves. The operation exposed a major threat actor known as YouTubeTA.

Top Malware Reported in the Last 24 Hours

Malicious Chrome extensions target Workday accounts

Cybersecurity researchers have discovered five malicious Google Chrome extensions that impersonate popular HR and ERP platforms, including Workday and NetSuite, to hijack user accounts. These extensions, such as DataByCloud Access and Tool Access 11, are designed to steal authentication tokens and block security responses, enabling complete account takeover through session hijacking. They exfiltrate cookies to remote servers and manipulate the Document Object Model (DOM) to obstruct access to administrative pages. Notably, Software Access combines cookie theft with the ability to inject stolen cookies into browsers, facilitating direct session hijacking. All five extensions share similar functionalities and patterns, suggesting they are part of a coordinated operation by the same threat actors or a common toolkit. While most have been removed from the Chrome Web Store, they remain accessible on third-party sites.

Malicious GhostPoster extensions found in browsers

A recent discovery revealed 17 malicious browser extensions linked to the GhostPoster campaign, which have collectively amassed 840,000 installations across Chrome, Firefox, and Edge. These extensions concealed harmful JavaScript code within their logos, allowing them to monitor user activity, hijack affiliate links, and facilitate ad fraud. Originating on Microsoft Edge, the campaign later spread to other browsers, with some extensions present since 2020, indicating a long-running operation. LayerX researchers noted that the latest variant, particularly the 'Instagram Downloader' extension, has evolved by embedding malicious logic in background scripts and using image files to conceal payloads. 

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerability in StealC malware panel

Cybersecurity researchers uncovered a cross-site scripting (XSS) vulnerability in the control panel of the StealC malware, an information stealer that emerged in January 2023. This flaw allowed researchers to gather critical data on threat actors, including system fingerprints and active session cookies. StealC operates under a malware-as-a-service model, utilizing platforms like YouTube for distribution and evolving to include features such as Telegram bot integration. A notable threat actor, YouTubeTA, exploited this service to distribute stolen software, amassing over 390,000 passwords and 30 million cookies. An operational security mistake revealed YouTubeTA's real IP address, linking them to a Ukrainian provider, which indicated their location in Eastern Europe.

Google Vertex AI bugs allow privilege escalation

Security researchers have uncovered significant privilege escalation vulnerabilities in Google’s Vertex AI platform, enabling low-privileged users to hijack high-privileged Service Agent accounts. These flaws affect the Vertex AI Agent Engine and Ray on Vertex AI, where default configurations grant minimal permission users access to powerful managed identities with extensive project-wide permissions. One vulnerability allows attackers with the right permissions to inject malicious Python code into tool calls, executing it on the reasoning engine’s compute instance and extracting sensitive credentials. Another flaw permits users with basic viewer permissions to gain root access to head nodes via the GCP Console, allowing them to retrieve access tokens that control storage and data resources.