Back to all posts

Two Chrome Extensions Caught Secretly Stealing Credentials from Over 170 Sites

Kawish Hussain
December 24, 2025
80 views

Learn about the two malicious Chrome extensions that have been secretly stealing user credentials from over 170 websites and get tips on how to protect yourself.

A serious wake-up call just hit the developer community. Security researchers at Socket have uncovered a pair of malicious Chrome extensions hiding under the name Phantom Shuttle. These aren't your typical annoying adware; they are sophisticated data-harvesting tools disguised as multi-location network speed test plugins.
The scheme is clever because it targets professionals who actually need these tools: developers and foreign trade workers. By offering a subscription model ranging from about $1.40 to $13.50 USD, the developer creates a false sense of legitimacy. Most people assume that if they are paying for a service via Alipay or WeChat Pay, it must be a real product. In reality, that VIP status is just a trigger to start routing your most sensitive data through a server controlled by attackers.

How the Trap Works

The technical side of the trap is particularly devious. The extensions use a method called smarty proxy mode. Once you pay up, the extension silently configures a Proxy Auto-Configuration (PAC) script. This script doesn't just grab everything at once, which might be easier to spot. Instead, it targets over 170 high-value domains. We are talking about the heavy hitters in a developer's daily workflow:
  • Developer Platforms: GitHub, Stack Overflow, and Docker.
  • Cloud Services: AWS, Digital Ocean, and Microsoft Azure.
  • Enterprise Solutions: Cisco, IBM, and VMware.
  • Social Media: Facebook, Instagram, and Twitter.

The Man-in-the-Middle Attack

While you think you are just getting a faster connection to check your repo, the extension is performing a Man-in-the-Middle (MitM) attack. It modifies bundled JavaScript libraries to inject hardcoded credentials into authentication challenges.
The researchers found that the extension even sends a "heartbeat" to a command-and-control server every few minutes. This heartbeat transmits your email and password in plaintext. It also captures:
  1. Credit card numbers
  1. Authentication cookies
  1. API keys and access tokens
  1. Full browsing history

Why This Matters for Developers

For a frontend developer, the theft of API keys or session cookies can lead to massive supply chain attacks. If an attacker gets into your GitHub or your cloud console, they don't just have your data; they have the keys to your entire production environment.
The operation seems to be based in China, given the payment integrations and the use of Alibaba Cloud for the backend. It has also been active in some form since 2017, proving that malicious code can sit in the Chrome Web Store for years if it stays under the radar.

Protecting Your Workflow

If you have any extension named Phantom Shuttle installed, delete it immediately. The specific IDs to look for are:
  • fbfldogmkadejddihifklefknmikncaj
  • ocpcmfmiidofonkbodpdhgddhlcmcofd
For those of us in the dev world, this is a good reminder to audit our browser extensions. We often treat our browser like a safe sandbox, but a single malicious plugin with proxy permissions can effectively bypass almost every layer of security you have in place. Stick to verified tools and always be wary of plugins that require extensive permissions to function.