Is Phantom safe to use?

Phantom has a risk level of CRITICAL with an overall risk score of 9.6/10. Our scan detected 355 security findings. This extension has significant security concerns — review the full report before installing.

What permissions does Phantom request?

Phantom requests the following permissions: activeTab, alarms, identity, storage, scripting, tabs, unlimitedStorage, webRequest, sidePanel. It also requests host access to: http://*/*, https://*/*, file://*/*.

What is Phantom's risk score?

Phantom has an overall risk score of 9.6/10 (CRITICAL). Breakdown: Permissions 10.0/10, Code 10.0/10, Combinations 10.0/10, CSP 5.5/10.

ExtSafe

PhantomSecurity Analysis

Chromev26.4.0MV3February 17, 2026 at 01:50 PM

9.6CRITICAL

9.6 CRITICAL

This extension shows critical risk indicators. It requests highly sensitive permissions combined with suspicious code patterns. Proceed with extreme caution.

Based on 12 permissions including high-risk ones, 348 code findings, 3 dangerous combinations.

Dangerous Combinations(3)

HIGHTab tracking + external communication

Extension tracks open tabs and communicates with external servers — potential browsing surveillance.

tabs+external network request

CRITICALNetwork interception + external communication

Extension intercepts network traffic and sends data externally — potential man-in-the-middle behavior.

webRequest/webRequestBlocking+external network request

CRITICALAll-sites access + keyboard capture

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

<all_urls>+keylogger_pattern

Permissions

10.0/10

Code

10.0/10

Combinations

10.0/10

Manifest/CSP

5.5/10

Permissions(12 analyzed)

Code Findings(25 patterns, 348 total)

Libraries(1 detected)

1 library detected

Content Security Policy

CSP Present

Manifest Analysis(2 findings)

HIGH

web_accessible_resourcesJS files exposed to web pages

JavaScript files are accessible to ALL websites. Any page can load and interact with these scripts, enabling web→extension attacks.

MEDIUM

web_accessible_resources.matchesOverly broad match patterns

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

External Domains(97)

${e.hostname${i${n${r${t*101arrowz.github.ioaapi.devnet.solana.comapi.hyperliquid.xyzapi.mainnet-beta.solana.comapi.phantom.appapi.testnet.solana.comapp.debridge.financeapp.drift.tradeapp.lulo.fiassets.coingecko.comassets.phantom.appauth.phantom.appbit.lyblowfish-blocklist-proxy.phantom.appd20xtzwzcl0ceb.cloudfront.netd3uc069fcn7uxw.cloudfront.netdata.phantom.appdevelopment-juicebox.phantom.appdevelopment-juicebox.phantom.devdhc7eusqrdwa0.cloudfront.netdocs.datadoghq.comdocs.solana.comeasings.neteips.ethereum.orgexplorer.li.fiexplorer.solana.comfb.mefeross.orggas-price-oracle.phantom.appgit.newgithub.comhelp.magiceden.iohelp.phantom.comhyperevmscan.iojuicebox.rpcpool.comjwt.iokamino.comkentcdodds.comkeybase.iolinks.ethers.orglocalhostmempool.spacemeyerweb.comnode-proxy.phantom.apporb.helius.devordinals.comphantom-wallet.zendesk.comphantom.appphantom.compolyfill.ioproduction-juicebox.phantom.appproduction-juicebox.phantom.devraw.githubusercontent.comreach.techreact.devreactjs.orgreactrouter.comrive.apps-c.shsanity-proxy-v2.phantom.appschema.orgsdk-configuration.${lt(sentry-intake.datadoghq.comsola.nasolana.fmsolanabeach.iosolscan.iostaging-api.phantom.appstaging-auth.phantom.appstatic.phantom.appstats-api.dln.tradestorage.googleapis.comstyled-components.comsui-mainnet.mystenlabs.comsuiscan.xyztesttime.phantom.apptrade.phantom.comui.reach.techunisat.iowallet-asset.matic.networkwww.apache.orgwww.datad0g-browser-agent.comwww.datadoghq-browser-agent.comwww.donmccurdy.comwww.gstatic.comwww.jito.networkwww.rfc-editor.orgwww.styled-components.comxray.helius.xyz