These malicious Google Chrome extensions have stolen data from over 170 sites - find out if you're affected

Two Chrome extensions were found eavesdropping on people's browsing

News By Sead Fadilpašić published 24 December 2025

(Image credit: Tada Images / Shutterstock) Share Share by:

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google

• Malicious Google Chrome extensions "Phantom Shuttle" secretly rerouted traffic through attacker-controlled proxies
• Extensions targeted Chinese users, harvesting credentials from 170 high-value domains
• Google removed the plugins; experts warn browser add-ons remain a major security risk

Security researchers recently discovered two extensions for the Google Chrome browser were rerouting valuable traffic through compromised proxies, and thus sharing sensitive information with malicious third parties.

Socket said it found two extensions in the Chrome Web Store, named ‘Phantom Shuttle’. On the surface, these were advertised as plugins for a proxy service, allowing users to proxy traffic and test network speeds, and were targeted mostly for Chinese users such as foreign trade workers who need to test connectivity from different locations in the country.

The plugins, which were first uploaded to the store back in 2017, even came with a price tag - a monthly subscription costing anywhere between $1.40 and $13.60.

Removed from the repository

However, besides doing what it said it would do, Phantom Shuttle also routed user web traffic through proxies that the threat actor owned, which allowed them to pick up on login credentials, payment card details, personal information, and more.

It didn’t route all of the traffic though. Instead, it listens for roughly 170 high-value domains, such as developer platforms, cloud service consoles, social media sites, and adult content portals, to make sure only valuable information gets picked up.

Local networks and C2 domains were excluded from the list, to make sure the plugins don’t raise any alarms. Google has since removed both extensions from the app store and searching for ‘Phantom Shuttle’ returns no results.

The internet browser is the most important piece of software on any modern computer, and as such is a major target for cybercriminals. While most browsers in use today are relatively secure (Chrome, for example, had only eight zero-day vulnerabilities so far in 2025), add-ons are something of a weak spot, allowing creative crooks to sneak malicious code into the program.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors