The Credential Theft Pipeline: How These Extensions Compromised 170+ Sites

The malicious Phantom Shuttle extensions orchestrated credential theft through a sophisticated multi-layered approach that weaponized legitimate browser functionality. Both variants, despite being published years apart (November 2017 and April 2023), executed identical malicious operations through modified JavaScript libraries embedded within the extension packages. (Source: The Hacker News)

The extensions injected hard-coded proxy credentials (topfany / 963852wei) into every HTTP authentication challenge across all websites by registering a listener on Chrome's webRequest.onAuthRequired API. This automatic injection occurred transparently, preventing the browser from ever displaying credential prompts to users.

The attack mechanism relied on malicious modifications prepended to two JavaScript libraries: jquery-1.12.2.min.js and scripts.js. These modifications enabled the extensions to intercept network traffic before it left the browser, positioning the attackers as man-in-the-middle proxies for all user communications.

Once victims achieved VIP status through subscription payments ranging from ¥9.9 to ¥95.9 CNY ($1.40 to $13.50 USD), the extensions auto-enabled "smarty" proxy mode. This mode selectively routed traffic from over 170 high-value domains through attacker-controlled infrastructure at phantomshuttle[.]space.

The targeted domains revealed the strategic nature of this operation. Developer platforms including GitHub, Stack Overflow, and Docker were compromised, potentially exposing source code repositories and API keys. Cloud service providers like Amazon Web Services, Digital Ocean, and Microsoft Azure were targeted, creating pathways to enterprise infrastructure.

Enterprise solutions from Cisco, IBM, and VMware appeared on the target list alongside social media platforms Facebook, Instagram, and Twitter. The inclusion of adult content sites served a dual purpose - capturing additional sensitive data while potentially enabling blackmail scenarios against victims.

The extensions maintained persistent communication with command-and-control servers through 60-second heartbeat messages. Every five minutes for VIP users, these heartbeats transmitted email addresses and passwords in plaintext via HTTP GET requests, ensuring continuous credential exfiltration even when users weren't actively browsing targeted sites.

The Proxy Auto-Configuration (PAC) script implementation provided three operational modes that gave attackers granular control over traffic interception. The "always" mode routed all web traffic through the proxy, while "smarty" mode selectively targeted the predetermined list of domains, and "close" mode disabled proxy functionality entirely to avoid detection during security scans.

This combination of heartbeat exfiltration and proxy-based man-in-the-middle positioning enabled comprehensive data theft capabilities. The extensions captured passwords, credit card numbers, authentication cookies, browsing history, form data, API keys, and access tokens from users accessing any of the targeted domains while VIP mode remained active.

The theft of developer secrets posed particular risks for supply chain attacks. Compromised GitHub credentials could enable attackers to inject malicious code into software repositories, while stolen cloud service credentials provided direct access to corporate infrastructure and customer data.

The eight-year operational timeline of the first extension, combined with its 2,000 user base, suggests thousands of credentials may have been compromised. The newer variant added another 180 victims to this count, though the actual impact likely extends beyond direct users to the organizations and systems they accessed.

Immediate Business and User Risk: What This Breach Means for Your Organization

The financial exposure from these compromised extensions extends far beyond the initial credential theft, creating cascading risks across multiple business dimensions. Organizations whose domains appeared among the 170+ targeted sites face an immediate crisis: every employee who accessed company resources through Chrome while these extensions were active potentially exposed corporate credentials during an eight-year operational window dating back to November 2017.

The subscription model employed by the attackers—charging between $1.40 to $13.50 USD—created a particularly insidious dynamic. Employees who paid for what they believed was legitimate VPN functionality inadvertently funded their own compromise while simultaneously granting attackers persistent access to corporate systems. These paying victims maintained active sessions for extended periods, maximizing the window for credential harvesting and data exfiltration.

The exposure window presents unprecedented challenges for incident response teams. With the older extension operating since 2017, organizations must consider that compromised credentials could have been circulating in underground markets for nearly a decade. This extended timeline means password rotations implemented within standard 90-day cycles would be insufficient—attackers potentially possess historical credential patterns that enable password prediction algorithms.

Financial services organizations face particular exposure given the extensions' targeting of enterprise platforms including IBM and VMware infrastructure. A single compromised administrator account from these platforms enables attackers to pivot into payment processing systems, customer databases, and regulatory reporting mechanisms. The average cost of insider-enabled breaches reached $4.99 million in 2024 according to Ponemon Institute research, with financial services experiencing 23% higher costs than other sectors.

The inclusion of adult content sites in the targeting list introduces blackmail and extortion risks that extend beyond traditional data breach scenarios. Executives and employees whose browsing histories were captured face potential exploitation through threats of public disclosure. This personal leverage creates insider threat scenarios where compromised individuals might provide additional access or disable security controls under duress.

Regulatory notification requirements trigger immediately for organizations in regulated industries. Under GDPR, companies must notify authorities within 72 hours of becoming aware that customer credentials were potentially compromised. California's CCPA and similar state laws require consumer notification when login credentials are exposed in combination with names. Healthcare organizations subject to HIPAA face additional scrutiny if any employee accessed patient portals or electronic health records while the extensions were active.

Supply chain implications multiply the damage radius exponentially. Developer credentials harvested from GitHub, Stack Overflow, and Docker Hub provide attackers with keys to software repositories, continuous integration pipelines, and container registries. A single compromised developer account can poison software updates distributed to thousands of downstream customers. The SolarWinds breach demonstrated how supply chain compromises generate cleanup costs exceeding $100 million for large enterprises.

Brand reputation damage compounds when customers discover their trusted service provider appeared on the targeting list. The presence of social media platforms like Facebook, Instagram, and Twitter (now X) in the targeting matrix means consumer-facing brands must prepare for public backlash when users realize their accounts were potentially compromised through corporate infrastructure. Customer churn rates typically increase 15-20% following publicized credential breaches, with recovery taking 18-24 months according to Forrester Research analysis.

Detection and Immediate Response: What to Do Today

Organizations must initiate a three-phase response protocol to identify and remediate potential exposure from the Phantom Shuttle extensions. The immediate priority centers on determining whether corporate domains appear among the 170+ targeted sites and establishing the scope of potential credential compromise.

Immediate Actions (Within 24 Hours):

Security teams should first query Chrome browser management consoles for the specific extension IDs: fbfldogmkadejddihifklefknmikncaj and ocpcmfmiidofonkbodpdhgddhlcmcofd. These queries will reveal which users have installed either variant since November 2017.

Next, administrators must examine proxy authentication logs for attempts using the credentials topfany / 963852wei. These hard-coded values appear in every authentication challenge when the extensions activate, creating a distinctive signature in authentication systems.

The heartbeat mechanism generates detectable patterns in network traffic. Security teams should search for HTTP GET requests to phantomshuttle.space occurring at 60-second intervals for regular users or five-minute intervals for VIP subscribers. These connections transmit plaintext passwords and email addresses, making them identifiable through packet inspection.

Short-Term Response (Within 7 Days):

Organizations must analyze web proxy logs for unusual routing patterns affecting GitHub, AWS, Azure, Docker Hub, Stack Overflow, and other developer platforms. The extensions' PAC script configuration creates distinctive traffic flows when "smarty" mode activates, routing specific domains through malicious proxies while leaving other traffic untouched.

Authentication systems require immediate audit for anomalous login patterns. The extensions' continuous credential exfiltration enables attackers to access accounts without triggering traditional brute-force detection. Security teams should look for successful authentications from unusual geographic locations, particularly those correlating with Alibaba Cloud infrastructure.

Browser extension permissions across the enterprise need comprehensive review. Extensions requesting both proxy configuration and webRequest permissions represent elevated risk, especially those with payment integration or subscription models. The combination of these permissions enables the traffic interception capabilities demonstrated by Phantom Shuttle.

Long-Term Monitoring Implementation:

Network monitoring solutions must incorporate detection rules for synchronous credential injection patterns. The asyncBlocking mode used by these extensions creates timing anomalies in authentication flows—credentials appear before authentication prompts would normally display.

SIEM platforms should flag any Chrome extension that modifies both jquery-1.12.2.min.js and scripts.js files, as this combination enabled the credential theft mechanism. Additionally, monitoring for extensions that bundle modified versions of common JavaScript libraries can identify similar threats.

Organizations should implement certificate pinning for critical internal services to prevent man-in-the-middle attacks even when malicious proxies intercept traffic. This technical control would have limited the extensions' ability to capture credentials from enterprise applications.

Detection engineering teams must create behavioral baselines for developer tool access patterns. The extensions specifically targeted development platforms, making unusual access patterns to GitHub, Docker, or cloud provider consoles potential indicators of compromised developer credentials being exploited.

Finally, security teams should monitor for payment transactions to Chinese payment platforms (Alipay/WeChat Pay) from corporate devices, as these indicate potential subscription payments to malicious services masquerading as legitimate tools.

Browser Extension Security: Why These Bypassed Detection and How to Prevent Recurrence

The Phantom Shuttle extensions evaded detection through a calculated exploitation of Chrome Web Store's review mechanisms and user trust patterns. The attackers published both variants under identical names but with different extension IDs, creating redundancy that ensured continued operation even if one version faced scrutiny. The eight-year gap between the first extension's publication in November 2017 and the second in April 2023 demonstrates how malicious actors leverage time delays to avoid pattern recognition by automated security systems.

The extensions masqueraded as legitimate network testing tools for developers and foreign trade personnel, complete with functional latency testing capabilities that reinforced their apparent legitimacy. This dual-purpose design—providing actual VPN-like functionality while conducting malicious operations—represents a sophisticated social engineering approach that bypasses both technical and human review processes.

Chrome Web Store's vetting process failed to detect the malicious code prepended to standard JavaScript libraries. The attackers modified jquery-1.12.2.min.js and scripts.js files, embedding credential injection mechanisms within commonly used libraries that reviewers might overlook during cursory inspections. The use of asyncBlocking mode for synchronous credential injection and PAC script configuration for proxy routing leveraged legitimate Chrome APIs in ways that automated security scanners classify as normal extension behavior.

The subscription payment model, charging between ¥9.9 to ¥95.9 CNY through Alipay and WeChat Pay integration, created an additional layer of perceived legitimacy. Extensions with payment processing typically undergo additional scrutiny, yet these passed review despite containing hard-coded proxy authentication credentials visible in the source code. The presence of a professional infrastructure hosted on Alibaba Cloud with a functional domain at phantomshuttle[.]space further reinforced the appearance of a legitimate business operation.

Organizations must implement comprehensive extension governance policies to prevent similar compromises. Extension allowlisting represents the most effective control, restricting browser add-ons to a pre-approved inventory verified by security teams. This approach requires maintaining a centralized repository of permitted extensions with documented business justifications for each approval.

Behavioral monitoring systems should flag extensions that combine specific permission patterns: proxy configuration capabilities paired with webRequest API access, particularly when targeting authentication events. Security teams need visibility into extensions that modify PAC scripts or inject credentials into HTTP authentication challenges—behaviors that legitimate productivity tools rarely require.

• Deploy enterprise browser management policies that enforce extension installation restrictions through Group Policy or mobile device management platforms
• Monitor for extensions requesting permissions to "Read and change all data on websites" combined with proxy management capabilities
• Implement network traffic analysis to detect connections to suspicious domains following extension installations, particularly those with heartbeat patterns at regular intervals
• Establish user training programs that emphasize reviewing extension permissions before installation, focusing on the risks of proxy-related permissions
• Create incident response playbooks specifically for browser extension compromises, including credential rotation procedures for affected users

The persistence of these malicious extensions across an eight-year operational window highlights the need for periodic extension audits. Organizations should quarterly review all installed extensions across their fleet, verifying that each remains necessary and checking for developer reputation changes or ownership transfers that might indicate compromise.

Credential Exposure Scope: Determining Your Organization's Risk Level

Organizations must conduct a systematic assessment to determine whether their domains appeared among the targeted sites and evaluate the extent of potential credential exposure. The comprehensive nature of this attack—spanning developer platforms, cloud services, enterprise solutions, and social media—means most technology-focused organizations likely face some level of exposure.

The attackers specifically targeted high-value domains across multiple categories. Developer platforms included GitHub, Stack Overflow, and Docker, while cloud service providers encompassed Amazon Web Services, Digital Ocean, and Microsoft Azure. Enterprise solution vendors such as Cisco, IBM, and VMware also appeared on the target list.

Social media platforms including Facebook, Instagram, and Twitter were compromised alongside adult content sites—a deliberate inclusion that Socket researchers suggest was intended for potential blackmail operations. This diverse targeting strategy maximized the attackers' ability to harvest valuable credentials across personal and professional contexts.

Organizations can identify potential compromise through several concrete indicators. The malicious extensions communicated with the command-and-control server at phantomshuttle[.]space, which remains operational. Network logs showing connections to this domain indicate active credential exfiltration occurred.

The extensions transmitted victim data via HTTP GET requests every five minutes when VIP mode was active. These heartbeat messages contained email addresses, passwords in plaintext, and version numbers—all transmitted without encryption. Organizations should search network traffic logs for these unencrypted transmissions to phantomshuttle[.]space.

Payment records provide another avenue for victim identification. Users who paid subscription fees ranging from ¥9.9 to ¥95.9 CNY through Alipay or WeChat Pay between November 2017 and present likely had VIP mode activated, triggering the credential theft mechanisms. Finance departments should review expense reports for these specific payment amounts to Chinese payment processors.

The credential harvesting occurred through three distinct proxy modes configured via PAC scripts. The "smarty" mode specifically targeted the 170+ domains, while "always" mode routed all web traffic through attacker-controlled proxies. Organizations whose employees accessed corporate resources while either mode was active face comprehensive credential compromise.

For organizations confirmed as targets, the credential reset scope must account for the eight-year operational window. Any credentials used to access the targeted domains between November 2017 and January 2026 require immediate rotation. This includes service accounts, API keys, and access tokens—not just user passwords.

The timing of credential resets requires careful coordination. Organizations should first identify all affected accounts through the indicators described above, then execute simultaneous password resets to prevent attackers from using compromised credentials to maintain access during a staggered reset process. Priority should go to administrative accounts and those with access to sensitive data or critical infrastructure.

Credential monitoring services can help identify whether harvested credentials have appeared in underground markets or been used in unauthorized access attempts. Organizations should specifically monitor for authentication attempts from IP addresses associated with Alibaba Cloud infrastructure, where the C2 domain was hosted.

User Notification and Remediation: Managing the Communication and Recovery

Effective user communication following the Phantom Shuttle extension compromise requires balancing transparency with measured response to prevent unnecessary alarm while ensuring complete remediation. The notification strategy must address the unique challenge of explaining how a paid subscription service actually functioned as a credential harvesting mechanism.

Initial User Notification Template

Subject line messaging should avoid terms like "breach" or "hack" that might trigger panic or legal concerns before full assessment. Instead, organizations should frame the communication as: "Required Security Action: Chrome Extension Review and Password Reset Required."

The opening paragraph should establish context without technical jargon: "Our security team has identified that certain Chrome browser extensions installed between November 2017 and present may have exposed login credentials when accessing company resources. These extensions, marketed as network speed testing tools, contained hidden functionality that captured authentication information."

Explaining the Exposure Scope

Users need clear understanding of what information was potentially compromised without overwhelming technical detail. The notification should specify: "If employees installed either Phantom Shuttle extension and accessed company systems through Chrome, the following data may have been exposed: usernames and passwords for all websites visited, authentication tokens for cloud services, form data including payment information entered while the extension was active, and browsing history for sites accessed during VIP mode operation."

Organizations should explicitly list their affected domains if they appeared among the targeted sites. Rather than providing the full 170+ domain list, focus on company-relevant platforms: "Our analysis indicates potential exposure for employees who accessed our GitHub repositories, AWS management console, or Microsoft Azure portal while these extensions were installed."

Required User Actions and Timeline

The notification must provide clear, sequenced steps with specific deadlines. Primary actions should include: "By [Date + 48 hours]: Remove both Phantom Shuttle extensions from Chrome if present. By [Date + 72 hours]: Reset passwords for all corporate accounts accessed through Chrome since November 2017. By [Date + 5 days]: Enable two-factor authentication on all business-critical accounts."

For users who paid subscription fees to the extensions, additional guidance is necessary: "Employees who purchased VIP subscriptions should immediately contact their financial institutions to monitor for unauthorized transactions, as payment information was transmitted to attacker-controlled servers."

Identity Protection Service Considerations

The decision to offer credit monitoring depends on the organization's assessment of financial data exposure. Given that the extensions captured form data and payment information, organizations whose employees made purchases through affected browsers should consider providing identity protection services for at least 12 months.

The notification should frame this offering: "Due to the potential exposure of payment information and personal data, the company will provide complimentary identity monitoring services through [Provider] for affected employees. Enrollment instructions will follow in a separate communication."

Regulatory Compliance Requirements

Under GDPR Article 34, organizations must notify affected individuals when personal data breaches create high risk to rights and freedoms. The eight-year operational window and plaintext password transmission to phantomshuttle[.]space likely triggers this requirement for EU residents. State breach notification laws vary, but California's requirement for notification within reasonable time after discovery applies given the exposure of authentication credentials.

Organizations should document notification timing: "This communication fulfills our obligation to notify potentially affected individuals within 72 hours of confirming the security incident, as required by applicable data protection regulations."