Shadow Networks: How Fake VPN Extensions Turn Chrome Users into Credential Goldmines

When you install a VPN extension for your browser, you expect privacy, security, and peace of mind. But for more than 2,000 Chrome users, a pair of seemingly legitimate VPN and network speed-testing tools have delivered anything but protection. Instead, they’ve opened the door to a years-long campaign of digital eavesdropping and credential theft, hiding in plain sight on the official Chrome Web Store.

The Trojan Horse in Your Browser

Security researchers at Socket’s Threat Research Team recently blew the lid off a pair of Chrome extensions known as Phantom Shuttle (幻影穿梭). Marketed as “multi-location network speed testing plugins,” these add-ons offered paid tiers and slick payment options via Alipay and WeChat Pay. On the surface, they promised enhanced browsing speeds and VPN-like privacy. Underneath, they engineered one of the most persistent browser-based credential theft operations in recent memory.

Once installed, Phantom Shuttle injects malicious code into the trusted jQuery library, enabling it to silently intercept and manipulate all browser traffic. By abusing Chrome’s webRequest onAuthRequired API, the extensions inject hardcoded proxy credentials into every HTTP authentication prompt, effectively rerouting all user requests through servers under the attacker’s control. This man-in-the-middle approach gives the threat actor unfettered access to everything users send - logins, API keys, and more.

Inside the Credential Laundering Machine

The extensions maintain a heartbeat connection with a command-and-control (C2) server hosted in Hong Kong, sending stolen credentials - including emails and passwords - every five minutes. The C2 infrastructure orchestrates account management, payment processing, and VIP status for users, while also funneling all intercepted data to the attackers. More than 170 domains are explicitly targeted: developer platforms like GitHub and Stack Overflow, cloud providers like AWS, and major social media sites.

By harvesting credentials from developers and foreign trade professionals, the attackers open the door to devastating supply chain attacks. Compromised repositories and API keys could be leveraged for broader attacks, code injection, and even corporate espionage. It’s a chilling reminder that browser extensions - especially those with network permissions - can be a double-edged sword, blending utility with unseen risk.

Red Flags and Lessons Learned

Despite their professional polish and long tenure on the Chrome Web Store, these extensions were nothing more than credential siphons disguised as productivity tools. Their longevity highlights the challenges of extension security and the ease with which attackers can monetize user trust through subscription models and seamless payment integrations.

The next time a browser extension promises privacy or performance boosts, remember: in the world of cybercrime, the greatest threat often hides behind a trusted logo and a polished user interface.

WIKICROOK

• Man: A Man-in-the-Middle attack occurs when a hacker secretly intercepts and possibly alters communication between two parties, posing as each to the other.
• Credential Exfiltration: Credential exfiltration is the theft of usernames, passwords, or tokens, allowing attackers to access systems and potentially cause further security breaches.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
• Proxy Server: A proxy server is an intermediary that routes network traffic, helping to hide users’ identities, bypass restrictions, and manage internet access.
• Supply Chain Attack: A supply chain attack is a cyberattack that compromises trusted software or hardware providers, spreading malware or vulnerabilities to many organizations at once.