top of page
perceptive_background_267k.jpg

Trust Wallet links $8.5 million crypto theft to Shai-Hulud NPM attack

Published:

2 januari 2026 om 14:19:40

Alert date:

2 januari 2026 om 15:02:20

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Supply Chain & Dependencies, Ransomware & Malware, Data Breach & Exfiltration, Web Technologies

Trust Wallet reports that an $8.5 million cryptocurrency theft affecting over 2,500 wallets is linked to the Shai-Hulud NPM supply chain attack from November. The attack compromised Trust Wallet's web browser through what appears to be an industry-wide campaign targeting the NPM ecosystem. This represents a significant supply chain compromise that resulted in substantial financial losses for cryptocurrency users. The incident demonstrates the continuing threat posed by supply chain attacks against popular package repositories.

Technical details

Trust Wallet's Chrome extension version 2.68.0 was compromised after attackers gained access to exposed GitHub developer secrets, which provided access to browser extension source code and Chrome Web Store API keys. The attackers registered malicious domains (metrics-trustwallet.com and api.metrics-trustwallet.com) to host malicious code, then built a trojanized version of the extension using the legitimate source code with embedded malicious JavaScript. The malicious extension was published to Chrome Web Store using leaked CWS keys, bypassing internal approval processes. This attack is linked to the Shai-Hulud NPM supply chain attack that compromised over 800 packages and exposed approximately 400,000 developer secrets across 30,000+ GitHub repositories. The malware used TruffleHog tool for credential harvesting and featured self-propagating capabilities.

Mitigation steps:

Trust Wallet revoked all release APIs to block new version releases, reported malicious domains to NiceNIC registrar for suspension, started reimbursing affected users, warned users about threat actors impersonating Trust Wallet support with fake compensation forms and Telegram scam ads. Organizations should monitor for exposed GitHub secrets, implement proper CI/CD security controls, validate NPM packages before use, and regularly rotate API keys and access tokens.

Affected products:

Trust Wallet Chrome Extension version 2.68.0
NPM packages (800+ packages affected by Shai-Hulud)
Chrome Web Store
GitHub repositories (30
000+ affected)

Related links:

https://www.bleepingcomputer.com/news/security/trust-wallet-confirms-extension-hack-led-to-7-million-crypto-theft/
https://trustwallet.com/blog/announcements/trust-wallet-browser-extension-v268-incident-community-update
https://www.bleepingcomputer.com/news/security/trust-wallet-says-7-million-crypto-theft-attack-drained-2-596-wallets/
https://www.bleepingcomputer.com/news/security/shai-hulud-20-npm-malware-attack-exposed-up-to-400-000-dev-secrets/
https://www.bleepingcomputer.com/news/security/self-propagating-supply-chain-attack-hits-187-npm-packages/
https://www.bleepingcomputer.com/news/security/shai-hulud-malware-infects-500-npm-packages-leaks-secrets-on-github/
https://www.wiz.io/blog/shai-hulud-2-0-aftermath-ongoing-supply-chain-attack

Related CVE's:

Related threat actors:

IOC's:

metrics-trustwallet.com, api.metrics-trustwallet.com, Trust Wallet Chrome Extension version 2.68.0

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page