Daily Threat Intel Digest - January 18, 2026

🔴 Critical Threats & Active Exploitation

[NEW] Malicious Chrome extensions steal enterprise HR credentials
Five malicious Chrome extensions discovered on the Chrome Web Store are actively stealing authentication credentials from enterprise HR and ERP platforms, including Workday, NetSuite, and SAP SuccessFactors. The extensions collectively amassed over 2,300 installations by posing as productivity and security tools for enterprise users. Attackers use three distinct techniques: cookie exfiltration every 60 seconds, blocking access to security administration pages to prevent incident response, and bidirectional cookie injection enabling immediate account takeover without credentials. The Software Access extension can receive stolen cookies from C2 servers and inject them directly into browsers, allowing attackers to hijack authenticated sessions without usernames, passwords, or MFA. Google has removed the extensions following disclosure by Socket researchers [BleepingComputer].

[NEW] GhostPoster browser extensions infect 840,000 users
The ongoing GhostPoster campaign has compromised 17 additional browser extensions across Chrome, Firefox, and Edge with 840,000 total installations. Extensions like “Google Translate in Right Click” (522K installs) and “Translate Selected Text with Google” (159K installs) hide malicious JavaScript in image files to evade detection. The payloads track browsing activity, hijack affiliate links on e-commerce platforms, and inject invisible iframes for ad fraud. Researchers discovered an evolved variant in the “Instagram Downloader” extension that moves malicious staging logic into background scripts and uses bundled image files as covert payload containers. While vendors have removed the extensions from their stores, infected users remain at risk until they manually uninstall them [BleepingComputer].

🎯 Threat Actor Activity & Campaigns

[NEW] Coordinated Chrome extension campaign targets enterprise platforms
Security researchers uncovered a coordinated operation behind the credential-stealing Chrome extensions, despite the extensions appearing under different publishers. Four extensions were published under “databycloud1104” while a fifth used “Software Access” branding, but all share identical infrastructure, code patterns, and targeting. The campaign specifically targets Workday, NetSuite, and SAP SuccessFactors platforms, with extensions blocking access to 44-56 critical administrative pages including authentication policies, security proxy configuration, IP range management, and 2FA controls. The coordinated nature suggests a focused effort by a single threat actor group to compromise enterprise HR and ERP systems for large-scale ransomware and data theft operations [BleepingComputer].

[NEW] GhostPoster campaign demonstrates long-term infection success
The GhostPoster malicious extension campaign has been operating since 2020, demonstrating remarkable persistence and evolution across multiple browser ecosystems. Originally discovered in Microsoft Edge, the campaign expanded to Firefox and Chrome, with extensions remaining available for years despite security vendor awareness. The latest variants employ sophisticated evasion techniques including steganography to hide malicious code in image files and staged execution flows that resist both static and behavioral detection. This long-term success highlights the challenges browser vendors face in policing extension stores and the financial incentives driving ad fraud and affiliate theft operations [BleepingComputer].

📋 Policy & Industry News

[NEW] HHS OCR prioritizes risk assessments in 2026 enforcement
The U.S. Department of Health and Human Services Office for Civil Rights will prioritize risk assessments and expand investigations into risk management practices in 2026, according to the agency’s January Cybersecurity Newsletter. Healthcare organizations face increased scrutiny of their security programs, particularly around vulnerability management and incident response capabilities. The guidance emphasizes the need for comprehensive risk assessments that address both internal and external threats, with specific attention to third-party vendor risks. Healthcare entities should review their current risk management frameworks against OCR’s updated expectations to prepare for potential enforcement actions [DataBreaches.Net].

[NEW] Federal judge orders Anna’s Archive to delete scraped data
A federal judge has issued a default judgment against shadow library Anna’s Archive, ordering the site to delete all copies of WorldCat data and cease scraping, using, storing, or distributing the data. The ruling comes after OCLC, the operator of WorldCat, sued the shadow library for large-scale unauthorized data harvesting. However, compliance appears unlikely given Anna’s Archive’s distributed nature and previous resistance to legal pressure. The case highlights ongoing tensions between open access advocates and database owners over copyright and data ownership in the digital age, with potential implications for other academic and research data aggregation projects [DataBreaches.Net].

🛡️ Defense & Detection

[NEW] Google Chrome adds control over on-device AI models
Google Chrome now allows users to delete the local AI models powering the “Enhanced Protection” feature, which was upgraded with AI capabilities last year. Users can access this control in Chrome settings under System, where they can toggle off “On-device GenAI” to remove the models. This gives security-conscious organizations more control over AI components and potential data processing on local systems. The feature is currently rolling out in Chrome Canary and will reach stable release soon, addressing privacy and security concerns about on-device AI processing [BleepingComputer].

[NEW] SOCFortress releases Kubernetes etcd hardening guide
A new security guide from SOCFortress details critical etcd hardening measures for self-managed Kubernetes deployments based on CIS Kubernetes Benchmarks. The guide emphasizes that etcd compromise is equivalent to full cluster compromise, as it stores all cluster state including secrets, service account tokens, and certificates. Key recommendations include implementing strong TLS encryption for both client-to-etcd and peer communication, restricting network exposure with explicit interface binding and firewall rules, enabling encryption at rest for secrets, and treating etcd backups as highly sensitive assets. Many organizations mistakenly trust default kubeadm configurations without reviewing etcd security, creating significant risk in production environments [SOCFortress].