Two Chrome extensions listed in the Web Store under the name Phantom Shuttle masqueraded as proxy service plugins are hijacking user traffic and stealing sensitive data, according to a report by supply-chain security firm Socket.
The extensions, which have been active since at least 2017, remain available in Chrome’s official marketplace at the time of writing. The tools are published under the same developer name and marketed primarily to users in China, including foreign trade workers who need to test internet connectivity from different regions of the country. Subscriptions are priced between $1.40 and $13.60.
Researchers say the extensions route all web traffic through attacker-controlled proxy servers using hardcoded credentials hidden with a custom encoding scheme. The malicious code is prepended to a legitimate jQuery library to evade detection. By dynamically reconfiguring Chrome’s proxy settings, the extensions force traffic through the proxies automatically.
In the default “smarty” mode, the extensions route traffic from more than 170 high-value domains, including developer platforms, cloud consoles, social media sites, and adult content portals, through the attacker’s network. Local networks and the command-and-control (C&C) domain are excluded to reduce the risk of disruption and detection.
Acting as a man-in-the-middle, the extensions can intercept authentication challenges, capture credentials and personal data from web forms, steal session cookies, and extract API tokens from network requests.
Users are advised to install extensions only from reputable publishers, review permissions carefully, and check multiple user reviews before installing.