Two deceptive Google Chrome extensions, masquerading as legitimate VPN services under the name “Phantom Shuttle,” have been identified as actively intercepting user web traffic and stealing sensitive login credentials. These malicious extensions, circulating since at least 2017, have managed to infiltrate the Chrome Web Store, with over 2,180 users reportedly downloading them and exposing themselves to ongoing data theft.
The threat actor behind this prolonged operation has consistently used the email address theknewone.com@gmail[.]com to publish both variants of the “Phantom Shuttle” extension, which, despite minor visual differences, operate with identical malicious functionality. Users remain largely unaware that the software they believe is enhancing their online privacy and connectivity is, in fact, a sophisticated tool monitoring their every online move and exfiltrating their credentials to attacker-controlled servers.
The Deceptive Facade of Phantom Shuttle
These malicious Chrome extensions market themselves as convenient “multi-location network speed testing plugins,” specifically targeting developers and individuals working within Chinese trade sectors. This carefully crafted marketing narrative allows them to gain trust among a niche audience. Victims are enticed to purchase subscriptions, with pricing ranging from 9.9 to 95.9 yuan (approximately $1.40 to $13.50 USD), utilizing widely recognized and secure payment platforms such as Alipay and WeChat Pay.
Upon installation, users are provided with functional proxy services that appear to perform their advertised tasks, including accurate latency tests and seemingly normal connection status indicators. This successful emulation of legitimate functionality creates a strong sense of trust, effectively masking the extensive and harmful activities occurring in the background. The apparent legitimacy of the proxy service lulls users into a false sense of security.
Authentication Hijacking Mechanism
Security analysts at Socket.dev have detailed how these malicious extensions employ a sophisticated credential injection mechanism to achieve complete traffic interception. The core of the attack lies in the extension’s ability to automatically intercept every HTTP authentication request made across all visited websites. Without any user interaction or notification, the extensions inject hardcoded proxy credentials, specifically the username “topfany” and password “963852wei,” into these requests.
This unauthorized insertion enables the attackers to reroute all user browsing traffic through their own proxy servers, effectively establishing a covert man-in-the-middle attack. The malicious code responsible for this activity is obfuscated within modified JavaScript libraries, namely “jquery-1.12.2.min.js” and “scripts.js,” making it more challenging for routine security scans to detect. Researchers further note the use of a custom character-index encoding scheme to further obscure these hardcoded credentials.
The underlying mechanism leverages Chrome’s `chrome.webRequest.onAuthRequired` listener. This listener is programmed to intercept authentication challenges before they are ever presented to the user. In a synchronous `asyncBlocking` mode, the extension automatically furnishes the hardcoded credentials, preventing any possibility of user intervention or awareness during the authentication process.
Adding to the persistent threat, the “Phantom Shuttle” extensions maintain a regular 60-second heartbeat connection to a command-and-control (C2) server located at phantomshuttle.space. During these crucial heartbeats and VIP status checks, which occur every five minutes for active users, the extension transmits sensitive user data, including email addresses and passwords, in plain text to the attacker infrastructure. This continuous exfiltration mechanism ensures a steady stream of stolen credentials.
As of December 23, 2025, these malicious extensions remain active and available on the Chrome Web Store. Socket.dev has acknowledged submitting formal takedown requests to Google’s Chrome Web Store security team, initiating the process to remove these threats. Users who have previously installed either variant of the “Phantom Shuttle” extension are strongly advised to uninstall them immediately. Furthermore, it is critical for affected individuals to change all passwords associated with accounts that were accessed or logged into while using these compromised extensions.