20251223-bleepingcomputer.com-e14e8

< Back to index

Malicious extensions in Chrome Web store steal user credentials

Published:

23 December 2025 at 13:31:55

Alert date:

23 December 2025 at 14:02:34

Source:

bleepingcomputer.com

Web Technologies, Data Breach & Exfiltration, Ransomware & Malware

Two malicious Chrome extensions named 'Phantom Shuttle' were discovered in the Chrome Web Store posing as proxy service plugins. These extensions are designed to hijack user traffic and steal sensitive data including credentials. The malicious extensions masquerade as legitimate proxy tools to deceive users into installation. Once installed, they gain access to user browsing data and can intercept sensitive information. This represents an active supply chain attack through the official Chrome Web Store distribution channel.

Technical details

Two Chrome extensions named 'Phantom Shuttle' pose as proxy service plugins to hijack user traffic and steal sensitive data. The extensions have been active since at least 2017 and route all user web traffic through attacker-controlled proxies using hardcoded credentials. The malicious code is prepended to the legitimate jQuery library and uses custom character-index encoding to hide proxy credentials. Extensions dynamically reconfigure Chrome's proxy settings using auto-configuration scripts. In 'smarty' mode, they route over 170 high-value domains through the proxy network including developer platforms, cloud service consoles, social media sites, and adult content portals. Acting as man-in-the-middle, the extensions capture form data, steal session cookies from HTTP headers, and extract API tokens from requests.

Mitigation steps:

Chrome users should trust only extensions from reputable publishers, check multiple user reviews, and pay attention to the permissions requested upon installation. Remove the Phantom Shuttle extensions if installed.

Affected products:

Google Chrome
Chrome Web Store
Phantom Shuttle extensions
jQuery library