- Malicious Google Chrome “Phantom Shuttle” extensions secretly redirected traffic through proxies controlled by attackers.
- The extensions targeted Chinese users, harvesting credentials from 170 high-value domains
- Google removed plugins; experts warn that browser add-ons remain a major security risk
Security researchers recently discovered that two Google Chrome browser extensions were redirecting valuable traffic through compromised proxies, sharing sensitive information with malicious third parties.
Socket said it found two extensions in the Chrome Web Store, named “Phantom Shuttle.” Ostensibly, these were presented as plugins for a proxy service, allowing users to proxy traffic and test network speeds, and were primarily aimed at Chinese users such as foreign trade workers who need to test connectivity from different locations around the country.
The plugins, which were first uploaded to the store in 2017, even came with a price: a monthly subscription costing between $1.40 and $13.60.
Removed from repository
However, in addition to doing what it said it did, Phantom Shuttle also routed users’ web traffic through proxies owned by the threat actor, allowing it to harvest login credentials, payment card details, personal information, and more.
However, it did not carry all the traffic. Instead, it listens to around 170 high-value domains, such as developer platforms, cloud service consoles, social networking sites, and adult content portals, to ensure that only valuable information is retrieved.
Local networks and C2 domains have been excluded from the list, to ensure that the plugins do not raise any alarms. Google has since removed both extensions from the App Store and a search for “Phantom Shuttle” returns no results.
The Internet browser is the most important piece of software on any modern computer and, as such, is a major target for cybercriminals. While most browsers in use today are relatively secure (Chrome, for example, only had eight zero-day vulnerabilities in 2025 so far), add-ons are something of a weak point, allowing creative crooks to introduce malicious code into the program.
This is why users are advised to be very careful while downloading and installing any plugins or extensions on their browser.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
