Beware: Malicious Chrome VPN Extensions Stealing User Credentials
In a concerning development, two deceptive Chrome extensions named Phantom Shuttle have been masquerading as legitimate VPN services, compromising the security of thousands of users by intercepting web traffic and extracting sensitive login information.
The Deceptive Facade
Since 2017, these malicious extensions have infiltrated the Chrome Web Store, amassing over 2,180 installations. Despite their prolonged presence, they have largely evaded detection, continuing to operate and compromise user data. Both variants of the Phantom Shuttle extension, though differing in appearance, function identically. They are published by an entity using the email address theknewone.com@gmail[.]com. Once installed, these extensions clandestinely monitor all online activities of the user, transmitting captured credentials to servers controlled by the attackers.
Luring the Unsuspecting
The extensions are marketed as multi-location network speed testing plugins, targeting developers and individuals involved in international trade, particularly those operating between China and other regions. Users are enticed to purchase subscriptions priced between 9.9 to 95.9 yuan (approximately $1.40 to $13.50 USD) through reputable payment platforms like Alipay and WeChat Pay. Upon subscription, users are provided with functional proxy services that perform real latency tests and display connection statuses, creating an illusion of legitimacy. This sophisticated ruse effectively conceals the malicious activities occurring in the background.
Technical Intricacies of the Attack
Security analysts at Socket.dev have uncovered the complex mechanisms these extensions employ to intercept user traffic. The extensions automatically intercept every HTTP authentication request across all websites, injecting hardcoded proxy credentials (username: topfany, password: 963852wei) without the user’s knowledge. This tactic enables attackers to reroute all browsing traffic through their proxy servers, effectively executing a man-in-the-middle attack.
Mechanism of Authentication Hijacking
The malicious code is embedded within modified JavaScript libraries bundled with the extension, specifically in files like jquery-1.12.2.min.js and scripts.js. To evade detection, the extensions utilize a custom character-index encoding scheme to obfuscate the hardcoded proxy credentials. They register a listener on chrome.webRequest.onAuthRequired, intercepting authentication challenges before they reach the user. When triggered, this listener automatically responds with the hardcoded credentials in asyncBlocking mode, ensuring synchronous responses without user intervention.
Continuous Data Exfiltration
The extensions maintain a 60-second heartbeat communication with the command-and-control server at phantomshuttle.space, continuously exfiltrating user data. During each heartbeat transmission and VIP status check, the extensions send user email addresses and passwords in plaintext to the attacker’s infrastructure, occurring every five minutes for active users.
Current Status and Recommendations
As of December 23, 2025, these malicious extensions remain active. Socket.dev has submitted takedown requests to Google’s Chrome Web Store security team. Users who have installed these extensions are strongly advised to uninstall them immediately and change all passwords used in their browsers to mitigate potential security risks.
Broader Implications
This incident underscores the persistent threat posed by malicious browser extensions. In recent years, there have been multiple instances where seemingly legitimate extensions have been exploited to compromise user security. For example, the EditThisCookie extension, once a trusted tool for managing browser cookies, was removed from the Chrome Web Store due to security concerns. Subsequently, a fraudulent version named EditThisCookie® emerged, engaging in credential theft and phishing activities. Similarly, the Cyberhaven Chrome extension, associated with a reputable data loss prevention provider, was compromised in December 2024. Attackers published a malicious update that exfiltrated sensitive user data, including authenticated sessions and cookies, to rogue domains.
Protective Measures
To safeguard against such threats, users should exercise caution when installing browser extensions. It’s essential to verify the authenticity of extensions, scrutinize user reviews, and monitor for any unusual browser behavior. Regularly updating security software and staying informed about emerging threats can further enhance protection against malicious activities.
