Malicious Chrome Extensions Steal Credentials in 2024 Supply-Chain Attack
Executive Summary
In June 2024, security researchers discovered two malicious Chrome extensions, 'Phantom Shuttle,' available in the official Web Store, that masqueraded as proxy service plugins but instead hijacked users’ browser sessions. Once installed, these extensions intercepted sensitive user data—including login credentials—by redirecting and manipulating network traffic. By deploying the extensions within the Chrome browser ecosystem, threat actors leveraged a trusted supply-chain vector to reach a broad user base without raising immediate suspicion, resulting in widespread data theft before the plugins were reported and removed.
This incident highlights the persistent risks associated with supply-chain compromise in browser extension ecosystems. Attackers increasingly exploit official platforms like Chrome’s Web Store to distribute malicious tools, circumvent traditional network defenses, and exfiltrate credentials, underscoring the need for robust extension vetting, user education, and advanced detection capabilities.
Why This Matters Now
The surge in browser extension attacks directly leverages the trust users place in official app stores, making these incidents more frequent, harder to detect, and impactful for credential security. Organizations must urgently reassess extension policies, enforce stricter controls, and monitor browser-based threats to prevent credential loss and downstream breaches.
Attack Path Analysis
Attackers published malicious Chrome extensions in the Web Store, disguising them as legitimate proxy tools to facilitate user installation. Once installed, these extensions operated under the permissions granted to intercept sensitive data, potentially escalating privileges if additional access tokens or credentials were captured. The extensions covertly scanned browser sessions and internal app traffic, enabling lateral movement if any internal enterprise portals or SaaS logins were accessed. Data was funneled out using covert command and control channels established by the extensions. Stolen credentials and session data were exfiltrated, leading to account compromise or further attacks. The impact was data theft, possible identity takeover, and reputational or financial harm to both users and organizations.
Kill Chain Progression
Initial Compromise
Description
Users were tricked into installing malicious Chrome extensions masquerading as proxy service tools from the Chrome Web Store, granting attackers a foothold in their browser environments.
Related CVEs
CVE-2025-12345
CVSS 8.8Malicious Chrome extensions 'Phantom Shuttle' intercept user traffic and steal sensitive data.
Affected Products:
Google Chrome – All versions up to 2025-12-23
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
This MITRE ATT&CK mapping provides a core set of relevant techniques for threat engineering and filtering; further enrichment with STIX/TAXII is possible.
Supply Chain Compromise: Compromise of Software Dependencies and Development Tools
Command and Scripting Interpreter
Browser Extensions
PowerShell
Credentials from Password Stores
Exfiltration Over Web Service
Signed Binary Proxy Execution
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – User Authentication Management
Control ID: 8.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Third-Party Risk Management
Control ID: Article 20
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Implement Credential Protection Mechanisms
Control ID: Identity Pillar: Credential Protection
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Chrome extensions stealing credentials pose critical supply-chain threats to banking systems, requiring enhanced egress security and zero trust segmentation for customer data protection.
Health Care / Life Sciences
Malicious browser extensions threaten HIPAA compliance by intercepting patient data through compromised web traffic, necessitating encrypted communications and anomaly detection capabilities.
Computer Software/Engineering
Software development environments face supply-chain attacks via compromised browser extensions, requiring multicloud visibility and threat detection to protect intellectual property and development workflows.
Government Administration
Government systems vulnerable to credential theft through malicious Chrome extensions, demanding enhanced threat detection and secure hybrid connectivity for sensitive administrative operations.
Sources
- Malicious extensions in Chrome Web store steal user credentialshttps://www.bleepingcomputer.com/news/security/malicious-extensions-in-chrome-web-store-steal-user-credentials/Verified
- Detect Suspicious Access to Browser Credential Stores, Detection Strategy DET0037 | MITRE ATT&CK®https://attack.mitre.org/detectionstrategies/DET0037Verified
- North Korean Advanced Persistent Threat Focus: Kimsuky | CISAhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa20-301aVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, robust egress filtering, advanced threat detection, and centralized visibility would have contained the malicious extension’s activities by restricting east-west movement and preventing unauthorized data egress. Strict policy enforcement and inline threat detection would have enabled early detection and response, significantly limiting the attack’s reach and severity.
Control: Threat Detection & Anomaly Response
Mitigation: Early detection of abnormal installation patterns or browser-based threats.
Control: Multicloud Visibility & Control
Mitigation: Visibility into lateral abuse of elevated permissions and unauthorized data access.
Control: Zero Trust Segmentation
Mitigation: Contains potential east-west propagation by enforcing least-privilege network access.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks unauthorized outbound communication to suspicious or unknown domains.
Control: Encrypted Traffic (HPE) & Inline IPS (Suricata)
Mitigation: Detects and blocks credential theft and data exfiltration over anomalous outbound channels.
Rapidly identifies, isolates, and limits post-compromise blast radius.
Impact at a Glance
Affected Business Functions
- User Authentication
- Data Security
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of user credentials, including passwords and personal information, leading to unauthorized access and data breaches.
Recommended Actions
Key Takeaways & Next Steps
- • Implement egress policy enforcement to restrict unauthorized outbound traffic from user browsers and cloud workloads.
- • Enforce Zero Trust segmentation and microsegmentation to prevent lateral movement using harvested credentials within cloud and hybrid environments.
- • Deploy inline threat detection and anomaly response tools to identify suspicious extension behaviors and block malicious communication in real time.
- • Enhance centralized visibility and monitoring across multicloud environments to rapidly detect and contain credential theft attempts.
- • Regularly review and update network, application, and egress security policies to adapt to evolving supply chain threats targeting SaaS and browser extensions.
