ToddyCat APT developed a tool called Umbrij that automates the theft of Google OAuth authorization codes by launching Chromium-based browsers in headless mode with remote debugging ports enabled. The tool copies the victim's browser profile to a backup directory, launches the browser invisibly with the stolen session, and uses Puppeteer Sharp to automate the Google OAuth consent flow using legitimate Google Workspace Migration/Sync client IDs. The resulting authorization code is exfiltrated and exchanged for an access token, enabling API-level access to the victim's Gmail, Drive, Calendar, and Contacts without traditional credential theft.