Two Google Chrome extensions, both called Phantom Shuttle, recently came under scrutiny for quietly collecting sensitive user information. While they appeared to help users test internet speed across multiple locations, they were secretly intercepting web traffic and stealing login credentials.
What Happened?
Security researchers discovered that the extensions were published by the same developer under different IDs. One version had been around since 2017 with about 2,000 users, while a newer 2023 version had fewer installs.
Users paid monthly fees between $1 and $13, believing they were subscribing to a legitimate VPN-like service. Instead, both extensions performed the same hidden actions: silently routing traffic through attacker-controlled servers and capturing sensitive data without user consent.
How the Extensions Worked
Once installed, the extensions activated a proxy mode, rerouting traffic from selected websites. They appeared normal, running real speed tests and showing connection status, but behind the scenes they:
- Intercepted login requests for websites
- Injected hard-coded credentials to bypass authentication prompts
- Maintained continuous communication with an attacker-controlled server
This allowed the attackers to see and capture sensitive information in real time.
Which Websites Were Targeted?
Rather than monitoring everything, the extensions focused on high-value websites, including:
- Developer platforms: GitHub, Stack Overflow, Docker
- Cloud services: AWS, DigitalOcean, Microsoft Azure
- Enterprise tools: Cisco, IBM, VMware
- Social media: Facebook, Instagram, Twitter (X)
Targeting these services gave attackers access to credentials that could be reused for deeper account compromise.
Who’s Behind It?
The identities of those running the operation remain unclear. Analysts observed that the extensions featured Chinese-language text, supported local payment methods such as Alipay and WeChat Pay, and relied on Alibaba Cloud for hosting, all of which indicate the operation could be based in China.
Why You Should Care
Browser extensions have deep access to your activity but are often overlooked. Even tech-savvy users can be fooled by tools that look legitimate.
If you installed these extensions, you should:
- Remove them immediately from Chrome
- Reset passwords for any accounts you accessed while they were installed
Organizations should monitor for suspicious proxy activity, enforce extension policies, and only allow trusted add-ons.
Key Takeaways
- Phantom Shuttle extensions appeared helpful but secretly captured credentials
- Over 170 high-value websites were targeted
- Subscription fees made them seem legitimate while enabling attacks
- Browser extensions can be a hidden security risk for anyone
Protect Yourself with Skyriver IT
Incidents like this show how even everyday tools can put your data at risk. At Skyriver IT, we help businesses and individuals stay ahead of threats with proactive monitoring, endpoint protection, and smarter access controls. Contact us today to see how we can help secure your devices, manage risky extensions, and protect your accounts from cyber threats before they happen.
