Cyber Security

Critical Security Alert: Dangerous Browser Extensions Targeting Developer Data

Tech News 24x7 Send an email December 30, 2025
0 1 1 minute read
Listen to this article

Tech News 24×7, 30 December, 2025: In late December 2025, cybersecurity researchers from Socket and CyberInsider uncovered a sophisticated, long-running cyber-espionage operation involving two Google Chrome extensions named “Phantom Shuttle” (幻影穿梭). These extensions, which have been active since 2017, masquerade as legitimate VPN and network speed-testing tools but are designed to steal sensitive user data.

How the Scam Works

  1. The Facade: The extensions offer a professional interface for developers and trade professionals to test network latency and use a VPN service via a paid subscription (ranging from $1.40 to $13.50 USD).
  2. The “Smarty” Trap: Once a user pays and logs in, the extension activates a “Smarty” proxy mode. This mode silently routes traffic from over 170 high-value domains—including GitHub, AWS, Twitter, and Facebook—through attacker-controlled servers.
  3. Data Exfiltration: Using a “Man-in-the-Middle” (MitM) technique, the extension captures plaintext credentials (usernames and passwords), session cookies, and API tokens. It even maintains a “heartbeat” mechanism that sends the user’s data to the attacker’s server every five minutes.

Technical Profile

  • Extension IDs: fbfldogmkadejddihifklefknmikncaj and ocpcmfmiidofonkbodpdhgddhlcmcofd
  • Threat Actor Location: Likely based in China (uses Alipay/WeChat Pay and Alibaba Cloud hosting).
  • Affected Sites: Over 170 domains (Cloud consoles, social media, and developer platforms).
  • Detection Evasion: The malicious code was hidden inside tampered versions of legitimate JavaScript libraries like jQuery.

Urgent Action Required

If you have either of these extensions installed:

  1. Remove them immediately via chrome://extensions.
  2. Clear your browser cookies and cache.
  3. Change Passwords for any sensitive accounts (Banking, Email, Cloud) accessed while the extension was active.

Official Reference Links

  1. CyberInsider (Detailed Technical Breakdown): Fake Chrome VPN extensions hijack traffic and steal user credentials
  2. The Hacker News (Security Advisory): Two Chrome Extensions Caught Secretly Stealing Credentials from Over 170 Sites
  3. Techzine Global (Industry Analysis): Malicious Chrome extensions disguise themselves as proxy services
  4. Socket Official Research (Source Report): Malicious Chrome Extensions: Phantom Shuttle

Tags
Tech News 24x7 Send an email December 30, 2025
0 1 1 minute read

Tech News 24x7

Welcome to Tech News – Your daily source for everything tech. We believe in keeping our readers informed with news that truly matters to them. From the latest in AI and Social Media to breakthroughs in Science, Innovation, and Cyber Security, we cover it all. Our commitment is to provide trustworthy content, carefully curated from authorized and credible global sources.

Related Articles

“Deepfake Abuse is Abuse”: UNICEF Demands Global Crackdown on AI Exploitation

1 day ago

App Store Purge: Apple and Google Crack Down on AI “Nudify” Apps

1 week ago

MeitY issues notice to social media platform ‘X’ over obscene content targeting women, children on AI tool Grok

January 3, 2026

NMDC Signs MoU with IIT Kanpur to Strengthen Cybersecurity and Advance Digital Technologies

December 6, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button