- Trust Wallet extension was compromised after developer GitHub secrets leaked, enabling malicious uploads to the Chrome Web Store.
- The attacker deployed a trojanized extension that harvested wallet mnemonic phrases, draining about $8.5 million from 2,520 addresses.
- The breach ties to the Shai-Hulud supply chain campaign; a new Shai-Hulud 3.0 variant has appeared with improved obfuscation.
- Trust Wallet opened a reimbursement claim process and added monitoring and release controls.
Trust Wallet reported that a supply chain intrusion linked to the Shai-Hulud campaign led to a compromise of its Google Chrome extension. The company said the incident traces back to leaked developer GitHub secrets that exposed the extension source and a Chrome Web Store API key (post-mortem said).
“Our Developer GitHub secrets were exposed in the attack, which gave the attacker access to our browser extension source code and the Chrome Web Store (CWS) API key,” the company said. The attacker used the leaked key to obtain full CWS API access and upload builds without Trust Wallet’s normal approval process.
The actor registered the domain “metrics-trustwallet[.]com” and pushed a trojanized extension to a subdomain. The malicious build contained a backdoor that collected users’ wallet mnemonic phrases. (Definition: a mnemonic phrase is a sequence of words used to recover a cryptocurrency wallet.)
The malicious update was pushed on December 24, 2025, and the first wallet-draining activity was reported the next day. About $8.5 million was stolen from roughly 2,520 wallet addresses and moved to at least 17 attacker-controlled addresses.
Trust Wallet has opened a reimbursement claim process for impacted users and is reviewing claims case by case to separate victims from potential fraud. The company also said it has implemented additional monitoring and controls for its release process (post-mortem said).
Shai-Hulud is described as an industry-wide software supply chain attack (Definition: a supply chain attack inserts malicious code into trusted software dependencies to reach many targets). The campaign has evolved into a 3.0 variant. “The primary difference lies in string obfuscation, error handling, and Windows compatibility, all aimed at increasing campaign longevity rather than introducing novel exploitation techniques,” Upwind researchers Guy Gilad and Moshe Hassan said.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Microsoft Hits $4T; Analysts Forecast 30% MSFT Gains in 2026
- NLRB Drops Enforcement, Lawyers Ask Dismissal of SpaceX Case
- Wall Street Readies Legal Fight Against Crypto’s 2026 Surge.
- DarkSpectre browser extensions steal meeting intel from 2.2M
- Lighter airdrops 250M LIT, valuing firm at $2.5B after debut
