Google and Chrome Ecosystem

Security firm Socket reports that two subscription-based Chrome extensions called 'Phantom Shuttle,' listed on Google’s official Chrome Web Store since at least 2017, secretly routed users’ web traffic through attacker-controlled proxy servers to steal sensitive data from more than 170 high‑value domains. The extensions, marketed to foreign trade workers as proxy and network speed‑test tools, embedded hardcoded proxy credentials inside obfuscated jQuery code, reconfigured Chrome’s proxy settings to force traffic through their infrastructure, and could capture usernames, passwords, payment card details, personal information, cookies, and API tokens before Google removed them from the store following disclosure. The case highlights ongoing security risks in browser extension ecosystems even when software appears legitimate and is distributed via official marketplaces.