Beware These Rogue Chrome Extensions Stealing Your Login Info from 170+ Sites
Cybersecurity researchers have uncovered a serious threat hiding inside the Google Chrome Web Store: two browser extensions that secretly collect user credentials from more than 170 popular websites. Disguised as a “multi-location network speed test tool,” the extensions — both named Phantom Shuttle — appeared to target developers and international business users. In reality, they were quietly harvesting sensitive data from unsuspecting victims.
The extensions required users to pay a small subscription fee, making them seem more legitimate and trustworthy. Once installed and activated, however, they executed hidden functionality that rerouted browser traffic through attacker-controlled proxy servers. This effectively placed users in a man-in-the-middle situation without their knowledge, allowing the operators behind the extensions to monitor and intercept network activity.
Behind the scenes, the malicious code injected hard-coded proxy credentials into authentication requests made by the browser. This process occurred automatically and invisibly, giving users no indication that anything was wrong. As a result, email addresses, login credentials, and other sensitive information could be captured and sent to a remote server at regular intervals.
What made the attack particularly deceptive was that the extensions still performed some of their advertised features. They displayed network latency results and connection statuses, helping them blend in as legitimate tools. Meanwhile, traffic from a carefully selected list of high-value websites — including developer platforms, cloud services, social networks, enterprise tools, and other widely used services — was silently routed through the attackers’ proxy infrastructure.
Once traffic was intercepted, users’ privacy was effectively lost. In addition to stealing credentials and session cookies, attackers could manipulate responses, inject unwanted content, or potentially stage further attacks. This posed a serious risk not only to individual users but also to organizations, especially when corporate accounts or cloud platforms were involved.
Despite the severity of the findings, both extensions remained available at the time they were reported. This highlights an ongoing issue with browser extension marketplaces, where malicious tools can masquerade as useful utilities. Users who installed either Phantom Shuttle extension are strongly advised to remove them immediately, change their passwords, and review account activity. Organizations should also consider stricter controls on browser extensions and increase awareness of the risks they pose.
