(Image credit: Tada Images / Shutterstock)
- **Malicious Google Chrome extensions "Phantom Shuttle" secretly rerouted traffic through attacker-controlled proxies **
- Extensions targeted Chinese users, harvesting credentials from 170 high-value domains
- Google removed the plugins; experts warn browser add-ons remain a major security risk
Security researchers recently discovered two extensions for the Google Chrome browser were rerouting valuable traffic through compromised proxies, and thus sharing sensitive information with malicious third parties.
Socket said it found two extensions in the Chrome Web Store, named ‘Phantom Shuttle’. On the surface, these were advertised as plugins…
(Image credit: Tada Images / Shutterstock)
- **Malicious Google Chrome extensions "Phantom Shuttle" secretly rerouted traffic through attacker-controlled proxies **
- Extensions targeted Chinese users, harvesting credentials from 170 high-value domains
- Google removed the plugins; experts warn browser add-ons remain a major security risk
Security researchers recently discovered two extensions for the Google Chrome browser were rerouting valuable traffic through compromised proxies, and thus sharing sensitive information with malicious third parties.
Socket said it found two extensions in the Chrome Web Store, named ‘Phantom Shuttle’. On the surface, these were advertised as plugins for a proxy service, allowing users to proxy traffic and test network speeds, and were targeted mostly for Chinese users such as foreign trade workers who need to test connectivity from different locations in the country.
The plugins, which were first uploaded to the store back in 2017, even came with a price tag - a monthly subscription costing anywhere between $1.40 and $13.60.
Removed from the repository
However, besides doing what it said it would do, Phantom Shuttle also routed user web traffic through proxies that the threat actor owned, which allowed them to pick up on login credentials, payment card details, personal information, and more.
It didn’t route all of the traffic though. Instead, it listens for roughly 170 high-value domains, such as developer platforms, cloud service consoles, social media sites, and adult content portals, to make sure only valuable information gets picked up.
Local networks and C2 domains were excluded from the list, to make sure the plugins don’t raise any alarms. Google has since removed both extensions from the app store and searching for ‘Phantom Shuttle’ returns no results.
The internet browser is the most important piece of software on any modern computer, and as such is a major target for cybercriminals. While most browsers in use today are relatively secure (Chrome, for example, had only eight zero-day vulnerabilities so far in 2025), add-ons are something of a weak spot, allowing creative crooks to sneak malicious code into the program.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
That is why users are advised to be extra careful when downloading and installing any plugins or extensions to their browsers.
*Via *BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.