These malicious Google Chrome extensions have stolen data from over 170 sites - find out if you're affected

News
By published

Two Chrome extensions were found eavesdropping on people's browsing

Google Chrome app is seen on an iPhone next to Edge and other web browser apps. Microsoft is using new prompts in Edge to try and stop users from downloading Chrome.
(Image credit: Tada Images / Shutterstock)
  • Malicious Google Chrome extensions "Phantom Shuttle" secretly rerouted traffic through attacker-controlled proxies
  • Extensions targeted Chinese users, harvesting credentials from 170 high-value domains
  • Google removed the plugins; experts warn browser add-ons remain a major security risk

Security researchers recently discovered two extensions for the Google Chrome browser were rerouting valuable traffic through compromised proxies, and thus sharing sensitive information with malicious third parties.

Socket said it found two extensions in the Chrome Web Store, named ‘Phantom Shuttle’. On the surface, these were advertised as plugins for a proxy service, allowing users to proxy traffic and test network speeds, and were targeted mostly for Chinese users such as foreign trade workers who need to test connectivity from different locations in the country.

The plugins, which were first uploaded to the store back in 2017, even came with a price tag - a monthly subscription costing anywhere between $1.40 and $13.60.

Removed from the repository

However, besides doing what it said it would do, Phantom Shuttle also routed user web traffic through proxies that the threat actor owned, which allowed them to pick up on login credentials, payment card details, personal information, and more.

It didn’t route all of the traffic though. Instead, it listens for roughly 170 high-value domains, such as developer platforms, cloud service consoles, social media sites, and adult content portals, to make sure only valuable information gets picked up.

Local networks and C2 domains were excluded from the list, to make sure the plugins don’t raise any alarms. Google has since removed both extensions from the app store and searching for ‘Phantom Shuttle’ returns no results.

The internet browser is the most important piece of software on any modern computer, and as such is a major target for cybercriminals. While most browsers in use today are relatively secure (Chrome, for example, had only eight zero-day vulnerabilities so far in 2025), add-ons are something of a weak spot, allowing creative crooks to sneak malicious code into the program.

That is why users are advised to be extra careful when downloading and installing any plugins or extensions to their browsers.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.