top of page
perceptive_background_267k.jpg

Two Chrome Extensions Caught Secretly Stealing Credentials from Over 170 Sites

Published:

23 december 2025 om 14:42:00

Alert date:

23 december 2025 om 16:02:33

Source:

thehackernews.com

Click to open the original link from this advisory

Web Technologies, Data Breach & Exfiltration, Ransomware & Malware

Two malicious Google Chrome extensions with identical names were discovered by cybersecurity researchers. Both extensions were published by the same developer and advertised as network speed test plug-ins for developers and foreign trade personnel. The malicious browser add-ons have capabilities to intercept network traffic and capture user credentials from over 170 websites. The extensions remain available for download, posing an active threat to users who install them.

Technical details

Two malicious Chrome extensions named 'Phantom Shuttle' disguised as VPN services intercept traffic and steal credentials from over 170 targeted domains. The extensions modify JavaScript libraries (jquery-1.12.2.min.js and scripts.js) to automatically inject hardcoded proxy credentials (topfany/963852wei) into HTTP authentication challenges using chrome.webRequest.onAuthRequired listener. They implement three proxy modes via PAC scripts: close (disabled), always (all traffic), and smarty (170+ targeted domains). Extensions maintain 60-second heartbeats to C2 server, transmitting user credentials in plaintext every 5 minutes. They capture passwords, credit card numbers, cookies, API keys, and browsing history while operating as man-in-the-middle proxies.

Mitigation steps:

Remove the malicious extensions immediately if installed. Deploy extension allowlisting policies. Monitor for extensions with subscription payment systems combined with proxy permissions. Implement network monitoring for suspicious proxy authentication attempts. Security teams should monitor for extensions requesting broad network permissions and implement browser security policies.

Affected products:

Google Chrome Browser Extensions
Phantom Shuttle Extension (ID: fbfldogmkadejddihifklefknmikncaj)
Phantom Shuttle Extension (ID: ocpcmfmiidofonkbodpdhgddhlcmcofd)
jquery-1.12.2.min.js library
scripts.js library

Related links:

https://socket.dev/blog/malicious-chrome-extensions-phantom-shuttle
https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_PAC_file
https://thehackernews.com/2025/12/featured-chrome-browser-extension.html

Related CVE's:

Related threat actors:

IOC's:

phantomshuttle[.]space, Extension ID: fbfldogmkadejddihifklefknmikncaj, Extension ID: ocpcmfmiidofonkbodpdhgddhlcmcofd, Proxy credentials: topfany/963852wei, Alibaba Cloud hosting infrastructure

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page