Malicious Chrome extensions caught stealing sensitive data

06 Jan 2026 By foxnews

Tourism Bookings NZ introduces

Chrome extensions are supposed to make your browser more useful, but they've quietly become one of the easiest ways for attackers to spy on what you do online. Security researchers recently uncovered two Chrome extensions that have been doing exactly that for years.

These extensions looked like harmless proxy tools, but behind the scenes, they were hijacking traffic and stealing sensitive data from users who trusted them. What makes this case worse is where these extensions were found. Both were listed on Chrome's official extension marketplace.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide - free when you join my CYBERGUY.COM newsletter.

FAKE AI CHAT RESULTS ARE SPREADING DANGEROUS MAC MALWARE

Researchers at Socket discovered two Chrome extensions using the same name, "Phantom Shuttle," that were posing as tools for proxy routing and network speed testing (via Bleeping Computer). According to the researchers, the extensions have been active since at least 2017.

Both extensions were published under the same developer name and marketed toward foreign trade workers who need to test internet connectivity from different regions. They were sold as subscription-based tools, with prices ranging from roughly $1.40 to $13.60.

At a glance, everything looked normal. The descriptions matched the functionality. The pricing seemed reasonable. The problem was what the extensions were doing after installation.

Socket researchers say Phantom Shuttle routes all your web traffic through proxy servers controlled by the attacker. Those proxies use hardcoded credentials embedded directly into the extension's code. To avoid detection, the malicious logic is hidden inside what appears to be a legitimate jQuery library.

The attackers didn't just leave credentials sitting in plain text. The extensions hide them using a custom character-index encoding scheme. Once active, the extension listens to web traffic and intercepts HTTP authentication challenges on any site you visit.

To make sure traffic always flows through their infrastructure, the extensions dynamically reconfigure Chrome's proxy settings using an auto-configuration script. This forces your browser to route requests exactly where the attacker wants them.

In its default "smarty" mode, Phantom Shuttle routes traffic from more than 170 high-value domains through its proxy network. That list includes developer platforms, cloud service dashboards, social media sites and adult content portals. Local networks and the attacker's own command-and-control domain are excluded, likely to avoid breaking things or raising suspicion.

While acting as a man-in-the-middle, the extension can capture anything you submit through web forms. That includes usernames, passwords, card details, personal information, session cookies from HTTP headers and API tokens pulled directly from network requests.

CyberGuy contacted Google about the extensions, and a spokesperson confirmed that both have been removed from the Chrome Web Store.

10 SIMPLE CYBERSECURITY RESOLUTIONS FOR A SAFER 2026

The step-by-step instructions below apply to Windows PCs, Macs and Chromebooks. In other words, desktop Chrome. Chrome extensions cannot be fully reviewed or removed from the mobile app.

You can also type this directly into the address bar and press Enter:
chrome://extensions

Go through every extension listed and ask yourself:

If the answer is no to any of these, take a closer look.

Click Details on any extension you are unsure about. Pay attention to:

Proxy tools, VPNs, downloaders and network-related extensions deserve extra scrutiny.

If something feels off, toggle the extension off. This immediately stops it from running without deleting it. If everything still works as expected, the extension was likely not essential.

To fully remove an extension:

Unused extensions are a common target for abuse and should be cleaned out regularly.

Close and reopen Chrome after making changes. This ensures disabled or removed extensions are no longer active.

MICROSOFT TYPOSQUATTING SCAM SWAPS LETTERS TO STEAL LOGINS

You can't control what slips through app store reviews, but you can reduce your risk by changing how you install and manage extensions.

Every extension increases your attack surface. If you don't genuinely need it, don't install it. Convenience extensions often come with far more permissions than they deserve.

Reputable developers usually have a history, a website and multiple well-known extensions. Be cautious with tools from unknown publishers, especially those offering network or proxy features.

Star ratings can be faked or manipulated. Look for detailed reviews that mention long-term use. Watch out for sudden waves of generic praise.

If an extension asks to "read and change all data on websites you visit," take that seriously. Proxy tools and network extensions can see everything you do.

A password manager won't stop a malicious extension from spying on traffic, but it can limit damage. Unique passwords mean stolen credentials can't unlock multiple accounts. Many managers also refuse to autofill on suspicious pages.

Next, see if your email has been exposed in past breaches. Our #1 password manager (see Cyberguy.com/Passwords) pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2025 at Cyberguy.com.

Strong antivirus software can flag suspicious network activity, proxy abuse and unauthorized changes to browser settings. This adds a layer of defense beyond Chrome's own protections.

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices at Cyberguy.com.

This attack doesn't rely on phishing emails or fake websites. It works because the extension itself becomes part of your browser. Once installed, it sees nearly everything you do online. Extensions like Phantom Shuttle are dangerous because they blend real functionality with malicious behavior. The extensions deliver the proxy service they promise, which lowers suspicion, while quietly routing user data through attacker-controlled servers.

When was the last time you reviewed the extensions installed in your browser? Let us know by writing to us at Cyberguy.com.