Phone: (940)-683-2292

Hours: Mon-Fri: 9am - 5pm

Remote Support
PC-Pros Logo
Malicious Chrome Extensions Found Stealing Credentials: What to Check Right Now

December 25, 2025

Malicious Chrome Extensions Found Stealing Credentials: What to Check Right Now

Quick summary

  • What happened: Researchers identified two malicious Chrome Web Store extensions named “Phantom Shuttle” designed to intercept traffic and steal sensitive data.
  • What’s at risk: Login credentials, session cookies, payment data, and API tokens.
  • Why it matters: The extensions can route targeted website traffic through attacker-controlled proxy infrastructure.
  • What to do now: Review your Chrome extensions, remove anything suspicious, and reset passwords if you may be affected.

What the source article says

BleepingComputer reports that two Chrome extensions named “Phantom Shuttle” posed as proxy/VPN-style tools but were found to hijack user traffic and steal sensitive information. The report cites research from Socket, which explains the extensions can dynamically change Chrome proxy settings and selectively route traffic for a large set of high-value domains through attacker-controlled proxies.

These extensions were marketed toward users who need to test connectivity from different locations and have reportedly been active for years. The research indicates the “smart” mode targets 170+ domains (including developer platforms, cloud consoles, and social media), increasing the risk of credential theft and account compromise.

What this means for PC-Pros customers

Browser extensions are a sneaky risk because they can look legitimate and still access your browsing activity. If a malicious extension gains a proxy/traffic interception role, it can put accounts at risk even if your PC otherwise looks “clean.”

This is especially important for:

  • Small businesses using web-based tools (Microsoft 365, Google Workspace, cloud admin portals)
  • Anyone who saves passwords in the browser
  • Anyone who uses the same password across multiple sites

Recommended next steps (do this today)

  1. Audit your extensions

    • In Chrome, open: chrome://extensions
    • Remove anything you don’t recognize or no longer use.

  2. Check for proxy tampering

    • In Chrome: Settings → System → Open your computer’s proxy settings
    • Make sure no unexpected proxy is enabled.

  3. Reset passwords (start with high-value accounts)

    • Email accounts (Gmail/Outlook), banking, shopping, cloud logins, social media
    • Use unique passwords and enable MFA/2FA wherever possible.

  4. Run a malware scan

    • Even though this is “just an extension,” it’s smart to run a full scan after removal.

If you want, PC-Pros can help you quickly review your system, remove risky extensions, and secure your accounts—especially for business users where email compromise can be costly.

Read the full article

Source: BleepingComputer
Read the full article on BleepingComputer

← Back to News