These malicious Google Chrome extensions have stolen data from over 170 sites - find out if you're affected

1. Pro
2. Security

These malicious Google Chrome extensions have stolen data from over 170 sites - find out if you're affected News By Sead Fadilpašić published 24 December 2025

Two Chrome extensions were found eavesdropping on people's browsing

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Tada Images / Shutterstock) Share Share by:

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google

• Malicious Google Chrome extensions "Phantom Shuttle" secretly rerouted traffic through attacker-controlled proxies
• Extensions targeted Chinese users, harvesting credentials from 170 high-value domains
• Google removed the plugins; experts warn browser add-ons remain a major security risk

Security researchers recently discovered two extensions for the Google Chrome browser were rerouting valuable traffic through compromised proxies, and thus sharing sensitive information with malicious third parties.

Socket said it found two extensions in the Chrome Web Store, named ‘Phantom Shuttle’. On the surface, these were advertised as plugins for a proxy service, allowing users to proxy traffic and test network speeds, and were targeted mostly for Chinese users such as foreign trade workers who need to test connectivity from different locations in the country.

The plugins, which were first uploaded to the store back in 2017, even came with a price tag - a monthly subscription costing anywhere between $1.40 and $13.60.

You may like

• 4.3 million have installed this malicious browser extension on Chrome and Edge - here's how to check
• Firefox security warning - multiple browser addons found to be riddled with malware, so be on your guard
• Malicious free VPN extension makes a comeback

Removed from the repository

However, besides doing what it said it would do, Phantom Shuttle also routed user web traffic through proxies that the threat actor owned, which allowed them to pick up on login credentials, payment card details, personal information, and more.

It didn’t route all of the traffic though. Instead, it listens for roughly 170 high-value domains, such as developer platforms, cloud service consoles, social media sites, and adult content portals, to make sure only valuable information gets picked up.

Local networks and C2 domains were excluded from the list, to make sure the plugins don’t raise any alarms. Google has since removed both extensions from the app store and searching for ‘Phantom Shuttle’ returns no results.

The internet browser is the most important piece of software on any modern computer, and as such is a major target for cybercriminals. While most browsers in use today are relatively secure (Chrome, for example, had only eight zero-day vulnerabilities so far in 2025), add-ons are something of a weak spot, allowing creative crooks to sneak malicious code into the program.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

That is why users are advised to be extra careful when downloading and installing any plugins or extensions to their browsers.

Via BleepingComputer

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS Malware Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Show More Comments

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more 4.3 million have installed this malicious browser extension on Chrome and Edge - here's how to check    Firefox security warning - multiple browser addons found to be riddled with malware, so be on your guard    Malicious free VPN extension makes a comeback    This Google Chrome extension has been silently stealing every AI prompt its users enter    OpenAI's shiny new Atlas browser might have some serious security shortcomings - and it's not the only one under threat from dangerous spoof attacks    Urban VPN Proxy is the latest free VPN spying on users – here's how to stay safe    Latest in Security AI-created ransomware and NFC attacks lead the surge in new cyberattacks - here's how you can stay safe this holidays    Suspected DDoS attack takes France’s post office offline    Dangerous WebRAT malware now being spread by GitHub repositories    Aflac reveals personal data of 22.6 million people stolen in cyberattack - here's what we know    Nissan says Red Hat breach affected thousands of customers    Phishing emails and fake adverts flood inboxes this Christmas - and they’re getting harder to detect than ever    Latest in News This 3D-printed iPhone Fold mockup might be as close as you can come to holding the real thing    Another image of the DJI Osmo Pocket 4 leaks — and it could come with a mysterious new accessory    This Switch 2 Joy-Con replacement was already my most anticipated accessory — and now it’s getting two new versions plus cool pre-order bonuses    One PC building firm has an answer to harsh DRR5 price hikes: BYO RAM    Sony WF-1000XM6 earbuds leak again, this time with a release date hint    These malicious Google Chrome extensions have stolen data from over 170 sites - find out if you're affected    LATEST ARTICLES

1. 1Give yourself the gift of digital privacy this Christmas
2. 2AI-created ransomware and NFC attacks lead the surge in new cyberattacks - here's how you can stay safe this holidays
3. 33 Christmas VPN deals to keep your present hauls safe
4. 4These malicious Google Chrome extensions have stolen data from over 170 sites - find out if you're affected
5. 5I’m a solo vlogger and these are the 6 pieces of gear I recommend for creating content that shines