BREAKING: Chrome Extensions Secretly Stealing Credentials on 170+ Sites
Hoplon InfoSec
24 Dec, 2025
Is your browser right now putting your passwords at risk without you knowing it?
As of December 2025, security researchers confirmed that two Chrome extensions were secretly collecting login information from more than 170 websites without users knowing anything was wrong. Trusted cybersecurity news sites like The Hacker News say that this incident shows a growing and dangerous trend: Chrome extensions stealing credentials is no longer just a theory; it is happening right now.
This article explains what really happened, how these extensions worked, why Chrome users and businesses should care, and what you can do to protect yourself.
The Increasing Issue of Chrome Extensions Taking Passwords
How Browser Extensions Became a Hidden Danger
The purpose of Chrome extensions is to make browsing easier. Tools for blocking ads, managing passwords, and getting things done. They became a big part of both work and personal life over time. Most people don't know how much access extensions really get after they are installed.
People often give Chrome extensions permission to read and change data on websites without thinking twice. That access can be a great way for someone to steal Chrome extension credentials if they get their hands on it. Attackers don't have to get into a server. They are just in between the user and the website.
For years, security teams have said that malicious Chrome extensions that steal data are one of the hardest threats to find. They live in trusted browsers, work quietly, and look like normal traffic.
What Sets This Incident Apart
This case is different because of how big it is and what it wants to do. These were not tools or extensions that were left behind or tried out. They were actively maintained, spread through legal channels, and aimed at a wide range of services, such as cloud platforms, developer tools, and business dashboards.
Researchers found that the extensions stopped browser traffic, stole login information, and sent it through a command and control proxy. This is not normal spyware. This is planned, secret credential theft that is meant to grow.
Over 170 sites were affected, which shows how dangerous a single hacked extension can be when it gets to a lot of people.
How the Bad Chrome Extensions Worked: Getting Credentials at the Browser Level
These extensions misused Chrome's permission model on a technical level. After being installed, they could watch network requests and change web traffic. This let them get in the way of traffic and steal login information before the data was fully encrypted.
People often call this type of malware "browser traffic interception malware." The extension keeps an eye on login forms, session tokens, and API keys in real time. It doesn't need to break passwords. It just copies them as users type.
Researchers have seen extensions that steal cloud credentials, like tokens used for developer services and enterprise platforms, in some cases. This makes it very likely that Chrome extensions are stealing AWS credentials and other important keys.
The Phantom Shuttle Malware Connection: Investigators linked the activity to a known group of threats that are often called Phantom Shuttle malware. This group has used proxy-based attacks in the past to steal a lot of credentials.
The extensions worked as local collection points, sending stolen data to servers that the attackers controlled from afar. After that, the credentials could be sold, used again, or turned into weapons for deeper attacks.
This proves that Phantom Shuttle is bad, and its methods are changing to focus more on attacks that happen in the browser than on traditional malware.
Why is it hard to find Chrome extension credential theft
No pop-ups, no crashes, no warnings
One of the most disturbing things about this attack is how hard it was to see. Users said there were no slowdowns, no alerts, and no strange behavior. On the outside, everything looked normal.
That's because extensions that steal browser credentials don't have to act aggressively. They listen in silence, copy data, and send it out in the background. Antivirus programs often miss this because nothing is installed at the operating system level.
It's hard for even advanced users to tell if a Chrome extension is stealing passwords because the browser itself still works as it should.
Businesses Face Even Bigger Risks
For businesses, the damage grows quickly. One employee using a hacked extension can put admin passwords, internal dashboards, or production systems at risk.
This is why CISOs are now most worried about the security of enterprise browser extensions. Extensions don't just rely on trickery as phishing emails do. They depend on trust in the Chrome Web Store, which isn't always reliable.
Many businesses still don't have a formal extension risk assessment service, which means they are at risk of having their credentials stolen without them knowing.
What Users Should Do Right Away
• Go through all of your installed extensions and get rid of any that you don't use regularly.
• Check permissions and be careful with extensions that want access to all websites.
• If you installed a risky extension, change the passwords for important accounts.
• Enable multi-factor authentication whenever you can.
• Keep an eye on account activity for strange logins or API usage.
These steps won't fix everything, but they will make things a lot safer. This is usually enough to stop more damage to people.
How to Safely Get Rid of a Bad Chrome Extension
1. Go to Extensions in the settings for Chrome.
2. Turn off any extensions that look suspicious right away.
3. Don't just turn off the extension; take it out completely.
4. Clear the browser's data, such as cookies and site permissions.
5. If you think your credentials have been exposed, reset your saved passwords.
It's important to know how to properly remove spyware Chrome extensions. If you just uninstall without changing your passwords, your accounts are still at risk.
Protection for businesses against extension-based attacks
Why Allow-Listing Is No Longer Not required
Companies should stop using open extension policies. Only tools that have been checked out by Chrome extension allow-list services can be installed.
This greatly lowers the chance of employees who work with sensitive systems being exposed to threats on the Chrome Web Store.
Things That Really Help
Some good ways to protect yourself are: • Extension scanning tools that look at behavior as well as code • Browser monitoring tools that flag strange network activity • Managed security services for Chrome extensions • Regular audits using an enterprise security extension audit process.
A professional cybersecurity audit for browser malware can find threats that your own teams might miss.
What This Means for the Future in the Real World
The rise of Chrome extensions that steal passwords makes us think differently about browser security. Browsers are no longer just tools. They are places where attacks can happen.
As more work moves to web apps, extensions become very valuable targets. Attackers know that stealing credentials at the browser level gets around a lot of standard defenses.
This event is not unusual. It's a warning.
Frequently Asked Questions
Can Chrome add-ons take your login information?
Yes. If you permit them, Chrome extensions can read your web traffic and get your login information without you knowing.
How can I tell if an extension is bad?
Check for strange permissions, developers you don't know, and extensions that can get to any website. For businesses, use special tools to scan extensions.
What is the malware called Phantom Shuttle?
Phantom Shuttle is a known group of threats that use proxy interception and browser-based malware to steal credentials.
Are paid Chrome add-ons safer?
Not all the time. Being paid does not mean you are safe. You should look at each extension's behavior and permissions before using it.
Final Thoughts
This incident shows that Chrome extensions that steal credentials are a real and growing threat, not just a theoretical one. Two extensions, one quiet attack chain, and the login information for more than 170 sites were stolen without users knowing.
The point is clear. You should never trust someone without thinking about it. Browser extensions should be looked at just like any other piece of software, whether you use them as a person or a business.
If you use Chrome a lot for work, now is the time to check your extensions, check who has access, and take browser security seriously. It's much cheaper to stop something from happening than to fix it.
You can also read these important cybersecurity news articles on our website.
· Apple Update,
For more Please visit our Homepage and follow us on X (Twitter) and LinkedIn for more cybersecurity news and updates. Stay connected on YouTube, Facebook, and Instagram as well. At Hoplon Infosec, we’re committed to securing your digital world.
Share this :