Security researchers have discovered two Google Chrome extensions called Phantom Shuttle that secretly steal user data while pretending to offer proxy and network testing services.
The extensions have been available on the Chrome Web Store for several years and were still accessible at the time of the report.
The findings come from researchers at the supply chain security platform Socket, who say the extensions have likely been active since at least 2017. Phantom Shuttle appears to target users in China, including foreign trade professionals who want to test how websites perform from different locations within the country.
Both extensions are published under the same developer name and are marketed as tools that help users proxy their internet traffic and check network speed. They are offered through paid subscriptions, with prices ranging from around $1.40 to $13.60. This paid model may have helped the extensions look trustworthy to users.
Behind the scenes, the extensions behave very differently from what they promise. Researchers found that Phantom Shuttle routes all user web traffic through proxy servers controlled by the attackers. This allows the operators to see and manipulate the data passing through the browser. The harmful code is hidden inside what looks like a normal jQuery library, making it harder to detect.
The proxy login details are hardcoded into the extension and hidden using a custom encoding method. Once installed, the extension quietly changes Chrome’s proxy settings using an automatic configuration script, forcing traffic through the attacker’s servers without clearly informing the user.
In its default mode, the extension sends traffic from more than 170 popular and sensitive websites through these proxy servers. These include cloud service dashboards, developer tools, social media platforms, and adult websites. At the same time, local network traffic and the extension’s own control server are excluded to reduce the risk of detection and avoid breaking basic internet access.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Because the extension sits between the user and the websites they visit, it acts as a man-in-the-middle. This allows it to collect usernames, passwords, payment information, and personal details entered into online forms. It can also steal session cookies from web traffic and extract API tokens from network requests, potentially giving attackers direct access to online accounts.
