At the end of December 2025, the popular non-custodial crypto wallet Trust Wallet disclosed a major security incident: its Google Chrome browser extension was compromised and used to steal user funds. The investigation has linked this breach to the broader Shai-Hulud npm software supply chain campaign, which has been targeting developers, CI/CD pipelines, and secrets across the JavaScript ecosystem.
Trust Wallet Chrome Extension 2.68: From Legitimate Update to Backdoored Release
The malicious activity centered on Trust Wallet Chrome extension version 2.68, which was published to the Chrome Web Store on 24 December. Although it appeared to be an ordinary update, the build contained an additional payload designed to intercept sensitive wallet data and trigger unauthorized on-chain transactions.
According to Trust Wallet’s internal investigation, the attackers managed to compromise at least 2,520 wallet addresses. The total financial impact is estimated at around USD 8.5 million, placing the incident among the more significant consumer crypto wallet breaches to date.
The root cause was traced back to the compromise of a developer’s GitHub account. With this access, the attackers obtained both the extension’s source code and a critical Chrome Web Store (CWS) API key used to publish and update the extension.
Armed with the stolen CWS API key, the adversaries could bypass Trust Wallet’s internal release workflow, which normally relies on manual checks and multi-step approvals. Instead of hacking end-user devices directly, they poisoned the software update pipeline itself, a classic form of a software supply chain attack similar in principle to high-profile cases such as SolarWinds and the 3CX compromise.
To deliver and control the malicious payload, the attackers registered the domain metrics-trustwallet[.]com and its subdomain api.metrics-trustwallet[.]com. The compromised extension communicated with this infrastructure, exfiltrating wallet data to servers controlled by the threat actors.
Shai-Hulud npm Campaign: Large-Scale Theft of Developer Secrets
First wave: worm-like npm malware and harvesting of access tokens
The Shai-Hulud (Sha1-Hulud) campaign gained notoriety as a self-spreading malware operation within the npm ecosystem. In the first wave, detected in early September, the attackers compromised more than 180 npm packages, injecting a worm-like payload that propagated automatically whenever affected dependencies were installed.
The primary objective was not immediate end-user compromise but the collection of developer secrets and access to their infrastructure. The malicious code scanned for API keys, access tokens, passwords, and CI/CD configuration data, using techniques similar to open-source secret-scanning tools such as TruffleHog. Repositories, logs, and configuration files were systematically inspected for leaked credentials.
Second wave: more than 800 legitimate packages and 27,000 malicious uploads
In the second wave, Shai-Hulud scaled dramatically. Security researchers estimate that the attackers compromised over 800 legitimate npm packages and additionally uploaded more than 27,000 overtly malicious packages to the registry.
All of these packages were designed to steal sensitive data from development and CI/CD environments and then automatically publish the harvested secrets to GitHub repositories controlled or monitored by the attackers. In total, approximately 400,000 distinct secrets were exposed across more than 30,000 GitHub repositories.
This broad compromise affected thousands of individual developers and organizations worldwide, including teams working on cryptocurrency and fintech infrastructure. It is highly plausible that, among the stolen credentials, the attackers obtained the GitHub and CWS API credentials associated with Trust Wallet, enabling the subsequent Chrome extension compromise.
Impact on Crypto Users and Emerging Fraud Schemes
Trust Wallet has publicly connected the Chrome extension incident with the broader Shai-Hulud npm supply chain attack, concluding that the worm-like malware enabled attackers to access the extension’s codebase and publishing keys. Using this access, they shipped a trojanized version of the extension that functioned as a backdoor for harvesting wallet data and executing illicit transactions under the guise of a legitimate update.
The company has announced a compensation program for affected users. At the same time, the incident has triggered a new wave of social engineering and phishing attempts. Fraudsters are impersonating Trust Wallet support, distributing fake “compensation” forms, and promoting these scams via Telegram and other channels.
Users are strongly advised to verify any communication related to refunds, recovery, or support through official Trust Wallet websites and apps only. Requests for private keys, seed phrases, or full access to wallets are clear indicators of fraud.
Key Lessons for Software Supply Chain Security in Crypto
The Trust Wallet incident underscores how critical software supply chain security has become for the crypto ecosystem. Even if end users follow basic security hygiene, compromises of developer accounts, npm dependencies, GitHub repositories, CI/CD systems, or publishing platforms like the Chrome Web Store can still lead to mass compromise and direct financial losses.
Effective defenses in this context include:
Strict access control and MFA: Enforce strong authentication and mandatory multi-factor authentication on GitHub, CI/CD, and publishing accounts. Limit access based on the principle of least privilege so that a single compromised account cannot push production releases alone.
Key rotation and secret hygiene: Implement regular rotation of API keys, tokens, and signing credentials, and immediately revoke any keys suspected of exposure. Avoid hard-coding secrets in code or configuration files stored in version control.
Automated dependency and secret scanning: Use software composition analysis (SCA) tools, npm audit mechanisms, and secret-scanning pipelines to detect malicious dependencies and exposed credentials early. Log monitoring and anomaly detection in CI/CD and publishing workflows can help identify suspicious release activity.
Security culture for development teams: Organizations building crypto wallets and exchanges should invest in security training for developers, rigorous npm package vetting, robust protection of GitHub organizations, and hardened CI/CD pipelines, treating supply chain security as a core part of product risk management.
The Shai-Hulud campaign and the compromise of the Trust Wallet Chrome extension show that attackers increasingly target the weakest links in software delivery chains rather than users directly. Strengthening software supply chain security, staying vigilant about browser extensions and updates, and continuously monitoring wallet activity are now essential practices for both crypto organizations and individual users who want to keep their digital assets safe.
