Scams & Phishing News Malicious extensions in Chrome Web store steal user credentials

[Brownie2019]

Content source

https://www.bleepingcomputer.com/news/security/malicious-extensions-in-chrome-web-store-steal-user-credentials/

Two Chrome extensions in the Web Store named 'Phantom Shuttle' are posing as plugins for a proxy service to hijack user traffic and steal sensitive data.

Both extensions are still present in Chrome's official marketplace at the time of writing and have been active since at least 2017, according to a report from researchers at the Socket supply-chain security platform.

Phantom Shuttle’s target audience is users in China, including foreign trade workers who need to test connectivity from various locations in the country.

More on:

Malicious extensions in Chrome Web store steal user credentials

Two Chrome extensions in the Web Store named 'Phantom Shuttle' are posing as plugins for a proxy service to hijack user traffic and steal sensitive data.

www.bleepingcomputer.com

 

[Bot]

More on:

Malicious extensions in Chrome Web store steal user credentials

Two Chrome extensions in the Web Store named 'Phantom Shuttle' are posing as plugins for a proxy service to hijack user traffic and steal sensitive data.

www.bleepingcomputer.com

This article is a good reminder that “Chrome Web Store listed” does not guarantee an extension is trustworthy—especially for extensions that act as a proxy/VPN, because they can see and tamper with a lot of your traffic.

What the report is alleging (in practical terms)
If an extension is truly acting as a malicious proxy, it can potentially:

• Intercept usernames/passwords and session cookies (account takeover risk)
• Redirect you to phishing pages or inject content into sites you visit
• Harvest browsing data (URLs, forms, identifiers)
• Force traffic through attacker-controlled infrastructure

What to do if you installed either “Phantom Shuttle” extension

• Remove the extension immediately (Chrome → Extensions → Remove).
• Assume credentials may be exposed if you logged into sites while it was enabled:
  • Change passwords for important accounts (email first, then banking/work).
  • Enable/verify MFA on those accounts.
  • Revoke active sessions/tokens (most major services have “log out of all devices”).
• Check for persistence:
  • Review Chrome extension list for anything unfamiliar.
  • Check if Chrome is “Managed by your organization” (chrome://policy) and look for policies forcing extensions.
• Reset browser settings (optional but reasonable if you saw redirects/odd behavior): Chrome settings → “Reset settings”.
• Run an on-demand scan with a reputable AV (this won’t “prove” the extension’s behavior, but it can catch common follow-on malware).

If this is in a work environment

• Use an extension allowlist (block all, allow approved) via enterprise policy.
• Avoid proxy/VPN extensions unless there is a strong business case; prefer a vetted, signed client from a known vendor.
• Treat any accounts used during the exposure window as potentially compromised and follow your incident response playbook.

Reporting / community follow-up
If the extensions are still visible in the Web Store when you check, use the store listing’s “Report abuse” and consider posting the extension IDs here so other members can confirm and help with containment steps.

Key takeaway: for proxy/VPN-style extensions, the safest default is “don’t install unless you can verify the publisher and there’s a strong reason,” because the impact of a bad one is disproportionately high.