- Malicious Google Chrome extensions “Phantom Shuttle” secretly rerouted traffic through attacker-controlled proxies
- Extensions targeted Chinese users, harvesting credentials from 170 high-value domains
- Google removed the plugins; experts warn browser add-ons remain a major security risk
Security researchers recently discovered two extensions for the Google Chrome browser were rerouting valuable traffic through compromised proxies, and thus sharing sensitive information with malicious third parties.
Socket said it found two extensions in the Chrome Web Store, named ‘Phantom Shuttle’. On the surface, these were advertised as plugins for a proxy service, allowing users to proxy traffic and test network speeds, and were targeted mostly for Chinese users such as foreign trade workers who need to test connectivity from different locations in the country.
The plugins, which were first uploaded to the store back in 2017, even came with a price tag – a monthly subscription costing anywhere between $1.40 and $13.60.
Removed from the repository
However, besides doing what it said it would do, Phantom Shuttle also routed user web traffic through proxies that the threat actor owned, which allowed them to pick up on login credentials, payment card details, personal information, and more.
It didn’t route all of the traffic though. Instead, it listens for roughly 170 high-value domains, such as developer platforms, cloud service consoles, social media sites, and adult content portals, to make sure only valuable information gets picked up.
Local networks and C2 domains were excluded from the list, to make sure the plugins don’t raise any alarms. Google has since removed both extensions from the app store and searching for ‘Phantom Shuttle’ returns no results.
The internet browser is the most important piece of software on any modern computer, and as such is a major target for cybercriminals. While most browsers in use today are relatively secure (Chrome, for example, had only eight zero-day vulnerabilities so far in 2025), add-ons are something of a weak spot, allowing creative crooks to sneak malicious code into the program.
That is why users are advised to be extra careful when downloading and installing any plugins or extensions to their browsers.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
