Key Findings:

• Two malicious Google Chrome extensions named "Phantom Shuttle" have been discovered secretly stealing user credentials from over 170 websites.

• The extensions are advertised as a "multi-location network speed test plug-in" for developers and foreign trade personnel.

• The extensions execute complete traffic interception, operate as man-in-the-middle proxies, and continuously exfiltrate user data to a command-and-control server.

• Once users make a subscription payment, the extensions auto-enable a "smarty" proxy mode that routes traffic from the targeted domains through the attacker's infrastructure.

• The extensions are designed to automatically inject hard-coded proxy credentials into every HTTP authentication challenge, allowing the attacker to capture traffic, manipulate responses, and inject arbitrary payloads.

• The theft of developer secrets could pave the way for supply chain attacks.

Background

The two Chrome extensions, both named "Phantom Shuttle," were published by the same developer. The first extension (ID: fbfldogmkadejddihifklefknmikncaj) has around 2,000 users and was published on November 26, 2017, while the second (ID: ocpcmfmiidofonkbodpdhgddhlcmcofd) has 180 users and was published on April 27, 2023.

Traffic Interception and Credential Theft

Once users make a subscription payment, ranging from ¥9.9 to ¥95.9 CNY ($1.40 to $13.50 USD), the extensions auto-enable the "smarty" proxy mode, which routes traffic from over 170 targeted domains through the attacker's command-and-control infrastructure.

The extensions are designed to automatically inject hard-coded proxy credentials (topfany / 963852wei) into every HTTP authentication challenge across all websites by registering a listener on the `chrome.webRequest.onAuthRequired` API. This allows the attacker to capture user traffic, manipulate responses, and inject arbitrary payloads.

Targeted Domains and Potential Impact

The list of targeted domains includes developer platforms (GitHub, Stack Overflow, Docker), cloud services (Amazon Web Services, Digital Ocean, Microsoft Azure), enterprise solutions (Cisco, IBM, VMware), social media (Facebook, Instagram, Twitter), and adult content sites. The inclusion of pornographic sites is likely an attempt to blackmail victims.

The theft of developer secrets from these high-value domains could potentially lead to supply chain attacks, where the attacker could leverage the stolen credentials to gain further access and compromise downstream systems.

Attacker's Infrastructure and Monetization

The extensions maintain a 60-second heartbeat to the command-and-control server at `phantomshuttle[.]space`, a domain that remains operational. The heartbeat message transmits the user's email, password in plaintext, and version number to the external server via an HTTP GET request every five minutes, enabling continuous credential exfiltration and session monitoring.

The subscription model creates victim retention while generating revenue, and the professional infrastructure with payment integration presents a facade of legitimacy, making users believe they're purchasing a VPN service while unknowingly enabling complete traffic compromise.

Conclusion

The findings highlight the growing risk of browser-based extensions, which can be leveraged by attackers to intercept traffic and steal sensitive user data. Users who have installed the extensions should immediately uninstall them and change their passwords for any affected accounts.

Sources

• https://thehackernews.com/2025/12/two-chrome-extensions-caught-secretly.html

• https://www.sepe.gr/en/it-technology/cybersecurity/22669000/two-chrome-extensions-caught-secretly-stealing-credentials-from-over-170-sites/

• https://x.com/TheCyberSecHub/status/2003484808748634422

• https://www.instagram.com/p/DSnCbpDjwnW/

• https://www.facebook.com/thehackernews/photos/-two-chrome-extensions-were-caught-intercepting-browser-traffic-and-stealing-cre/1251876426976938/