Two Chrome extensions called “Phantom Shuttle” pretend to be proxy services, but in reality steal user data. The malicious extensions have been active since 2017 and are still available in the official Chrome Web Store.
Researchers from security platform Socket discovered the malicious extensions. The extensions target users in China, including traders who need to test connectivity from different locations in the country. The extensions offer a monthly subscription.
Both Phantom Shuttle extensions are published under the same developer name. They promise to proxy web traffic and test network speeds. But behind the scenes, there is more going on. The problem lies in the hidden functionality that users cannot see.
Hardcoded proxy credentials
The extensions route all web traffic through proxies controlled by the attackers. Access is granted via hardcoded login credentials. Socket researchers discovered that the code for this has been added to the legitimate jQuery library.
The proxy credentials are hidden by special character index encoding. The extensions intercept HTTP authentication on every website via a web traffic listener. Form data, passwords, card details, and session cookies can thus be intercepted. API tokens from requests can also be stolen.
Chrome’s proxy settings are dynamically adjusted via an auto-configuration script. In the default “smarty” mode, the extension routes more than 170 high-value domains through the proxy network. These include development platforms, cloud service consoles, and social media sites. Local networks and the command-and-control domain are left untouched to avoid detection.
Broader problem
This shows once again that Chrome extensions cannot simply be trusted. In January 2025, Google removed sixteen malicious Chrome extensions that had been installed by more than 3.2 million users. The ShadyPanda group also infected 4.3 million Chrome and Edge users with malware in a campaign that ran for seven years.
Google received a contact request about the Phantom Shuttle extensions. No response has been received yet. Chrome users should only install extensions from trusted publishers, check multiple user reviews, and pay attention to the permissions they grant. Clicking ‘allow’ too quickly could open the door to data theft.