Chrome extensions are supposed to make your browser more useful, but they’ve quietly become one of the easiest ways for attackers to spy on what you do online. Security researchers recently uncovered two Chrome extensions that have been doing exactly that for years.
These extensions looked like harmless proxy tools, but behind the scenes, they were hijacking traffic and stealing sensitive data from users who trusted them. What makes this case worse is where these extensions were found. Both were listed on Chrome’s official extension marketplace.
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.
FAKE AI CHAT RESULTS ARE SPREADING DANGEROUS MAC MALWARE
Security researchers uncovered malicious Chrome extensions that quietly routed users’ web traffic through attacker-controlled servers to steal sensitive data. (Gokhan Balci/Anadolu Agency/Getty Images)
Malicious Chrome extensions hiding in plain sight
Researchers at Socket discovered two Chrome extensions using the same name, “Phantom Shuttle,” that were posing as tools for proxy routing and network speed testing (via Bleeping Computer). According to the researchers, the extensions have been active since at least 2017.
Both extensions were published under the same developer name and marketed towards foreign trade workers who need to test internet connectivity from different regions. They were sold as subscription-based tools, with prices ranging from roughly $1.40 to $13.60.
At a glance, everything looked normal. The descriptions matched the functionality. The pricing seemed reasonable. The problem was what the extensions were doing after installation.
How Phantom Shuttle steals your data
Socket researchers say Phantom Shuttle routes all your web traffic through proxy servers controlled by the attacker. Those proxies use hardcoded credentials embedded directly into the extension’s code. To avoid detection, the malicious logic is hidden inside what appears to be a legitimate jQuery library.
The attackers didn’t just leave credentials sitting in plain text. The extensions hide them using a custom character-index encoding scheme. Once active, the extension listens to web traffic and intercepts HTTP authentication challenges on any site you visit.
To make sure traffic always flows through their infrastructure, the extensions dynamically reconfigure Chrome’s proxy settings using an auto-configuration script. This forces your browser to route requests exactly where the attacker wants them.
In its default “smarty” mode, Phantom Shuttle routes traffic from more than 170 high-value domains through its proxy network. That list includes developer platforms, cloud service dashboards, social media sites and adult content portals. Local networks and the attacker’s own command-and-control domain are excluded, likely to avoid breaking things or raising suspicion.
While acting as a man-in-the-middle, the extension can capture anything you submit through web forms. That includes usernames, passwords, card details, personal information, session cookies from HTTP headers and API tokens pulled directly from network requests.
CyberGuy contacted Google about the extensions, and a spokesperson confirmed that both have been removed from the Chrome Web Store.
10 SIMPLE CYBERSECURITY RESOLUTIONS FOR A SAFER 2026
Two Chrome extensions posing as proxy tools were found spying on users for years while listed on Google’s official Chrome Web Store. (Yui Mok/PA Images via Getty Images)
How to review the extensions installed in your browser (Chrome)
The step-by-step instructions below apply to Windows PCs, Macs and Chromebooks. In other words, desktop Chrome. Chrome extensions cannot be fully reviewed or removed from the mobile app.
Step 1: Open your extensions list
- Open Chrome on your computer.
- Click the three-dot menu in the top-right corner.
- Select Extensions
- Then click Manage Extensions.
You can also type this directly into the address bar and press Enter:
chrome://extensions
Step 2: Look for anything you do not recognize
Go through every extension listed and ask yourself:
- Do I remember installing this?
- Do I still use it?
- Do I know what it actually does?
If the answer is no to any of these, take a closer look.
Step 3: Review permissions and access
Click Details on any extension you are unsure about. Pay attention to:
- Permissions, especially anything that can read or change data on websites you visit
- Site access, such as extensions that run on all sites
- Background access, which allows the extension to stay active even when not in use
Proxy tools, VPNs, downloaders and network-related extensions deserve extra scrutiny.
Step 4: Disable suspicious extensions first
If something feels off, toggle the extension off. This immediately stops it from running without deleting it. If everything still works as expected, the extension was likely not essential.
Step 5: Remove extensions you no longer need
To fully remove an extension:
- Click Remove
- Confirm when prompted
Unused extensions are a common target for abuse and should be cleaned out regularly.
Step 6: Restart Chrome
Close and reopen Chrome after making changes. This ensures disabled or removed extensions are no longer active.
MICROSOFT TYPOSQUATTING SCAM SWAPS LETTERS TO STEAL LOGINS
Cybersecurity experts warn that trusted browser extensions can become powerful surveillance tools once installed. (Gabby Jones/Bloomberg via Getty Images)
6 steps you can take to stay safe from malicious Chrome extensions
You can’t control what slips through app store reviews, but you can reduce your risk by changing how you install and manage extensions.
1) Install extensions only when absolutely necessary
Every extension increases your attack surface. If you don’t genuinely need it, don’t install it. Convenience extensions often come with far more permissions than they deserve.
2) Check the publisher carefully
Reputable developers usually have a history, a website and multiple well-known extensions. Be cautious with tools from unknown publishers, especially those offering network or proxy features.
3) Read multiple user reviews, not just ratings
Star ratings can be faked or manipulated. Look for detailed reviews that mention long-term use. Watch out for sudden waves of generic praise.
4) Review permissions before clicking install
If an extension asks to “read and change all data on websites you visit,” take that seriously. Proxy tools and network extensions can see everything you do.
5) Use a password manager
A password manager won’t stop a malicious extension from spying on traffic, but it can limit damage. Unique passwords mean stolen credentials can’t unlock multiple accounts. Many managers also refuse to autofill on suspicious pages.
Next, see if your email has been exposed in past breaches. Our #1 password manager (see Cyberguy.com/Passwords) pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.
Check out the best expert-reviewed password managers of 2025 at Cyberguy.com.
6) Install strong antivirus software
Strong antivirus software can flag suspicious network activity, proxy abuse and unauthorized changes to browser settings. This adds a layer of defense beyond Chrome’s own protections.
The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.
Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices at Cyberguy.com.
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
Kurt’s key takeaway
This attack doesn’t rely on phishing emails or fake websites. It works because the extension itself becomes part of your browser. Once installed, it sees nearly everything you do online. Extensions like Phantom Shuttle are dangerous because they blend real functionality with malicious behavior. The extensions deliver the proxy service they promise, which lowers suspicion, while quietly routing user data through attacker-controlled servers.
When was the last time you reviewed the extensions installed in your browser? Let us know by writing to us at Cyberguy.com.
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.
Copyright 2025 CyberGuy.com. All rights reserved.