Search
Breaking
Latest technical intelligence from Northeast India • Infrastructure, AI, Cloud & Security Analysis • Precision Analysis | Raw Intelligence | Your North Star of Tech • Latest technical intelligence from Northeast India • Infrastructure, AI, Cloud & Security Analysis
SECURITY

Analysis: Two Chrome Extensions Caught Secretly Stealing Credentials from Over 170 Sites

✍️ By Connect Quest Blog Analytical Desk
📅 25-12-2025 06:56
Analytical - Independent Analysis
⏱️ 3 min read
Analysis: Two Chrome Extensions Caught Secretly Stealing Credentials from Over 170 Sites Image: Stock - Security
Malicious Chrome Extensions Steal Credentials from Over 170 Sites

Malicious Chrome Extensions Steal Credentials from Over 170 Sites

In a concerning revelation, two malicious Google Chrome extensions have been discovered, secretly stealing user credentials from over 170 websites. This news underscores the need for vigilance in the digital realm, particularly for users in North East India and across India.

The Malicious Extensions: A Closer Look

The extensions, named Phantom Shuttle, are disguised as a "multi-location network speed test plug-in" for developers and foreign trade personnel. Despite their advertised purpose, they come with the ability to intercept traffic and capture user credentials. As of writing, both extensions are available for download.

Phantom Shuttle: The Deceptive Duo

There are two versions of Phantom Shuttle, each with different user counts. The first, published in 2017, has 2,000 users, while the second, published in 2023, has 180 users. Both versions perform identical malicious operations.

The Malicious Operations: How They Work

Behind the subscription facade, these extensions execute complete traffic interception through authentication credential injection, operate as man-in-the-middle proxies, and continuously exfiltrate user data to the threat actor's command-and-control (C2) server.

The Heartbeat Mechanism: A Constant Threat

Once users authenticate to a proxy server, the extension configures Chrome's proxy settings and maintains a 60-second heartbeat to its C2 server. This heartbeat message transmits a VIP user's email, password in plaintext, and version number to an external server every five minutes, enabling continuous credential exfiltration and session monitoring.

The Impact: A Wider Implication

The extension captures passwords, credit card numbers, authentication cookies, browsing history, form data, API keys, and access tokens from users accessing the targeted domains while VIP mode is active. This theft of developer secrets could pave the way for supply chain attacks.

The Connection: North East India and Beyond

The digital world is interconnected, and the impact of such malicious activities extends beyond the immediate victims. In the North East region and across India, businesses and individuals are increasingly reliant on digital platforms for their operations. This underscores the importance of cybersecurity awareness and best practices.

A Call to Action

Users who have installed the extensions are advised to remove them as soon as possible. For security teams, it's essential to deploy extension allowlisting, monitor for extensions with subscription payment systems combined with proxy permissions, and implement network monitoring for suspicious proxy authentication attempts.

Copyright Notice: This is an original analytical article independently produced by Connect Quest Artist Editorial Desk. All content is copyright-safe and represents our original analysis and perspective.
Analytical Basis: This article represents independent analysis and may reference publicly available information.
Tags:
#security #analysis #northeast #original