Trust Wallet Links A Massive $8.5M Theft To Shai-Hulud 2.0

In late 2025 and early 2026, Trust Wallet confirmed that its Chrome browser extension played a central role in a devastating series of supply chain attacks. Trust Wallet is one of the world's most widely used noncustodial cryptocurrency wallets. These attacks were tied to Shai-Hulud, a sophisticated malware campaign that has impacted both the developer ecosystem and user wallets.

The breaches highlighted not just the risks of software supply chains but also the unique vulnerabilities of browser extensions that manage sensitive cryptographic key material.

At the end of December 2025, Trust Wallet announced that a malicious version of its Chrome browser extension had resulted in the theft of approximately $8.5 million in cryptocurrency from over 2,500 individual wallets. Investigators found that attackers had published a backdoored extension (version 2.68) on the Chrome Web Store. This extension contained logic that allowed it to steal wallet seed phrases and trigger unauthorized transfers.

The company later linked this incident to the Shai-Hulud 2.0 supply chain attack. In this large-scale campaign, attackers inserted malicious code into thousands of NPM (Node Package Manager) packages. As a result, vast quantities of developer credentials and secrets were exposed, including Trust Wallet's own GitHub developer secrets. These leaks allowed attackers to obtain the Chrome Web Store API key and publish unauthorized extension builds.

According to Trust Wallet's official update, once attackers had access to internal GitHub credentials and the API key, they bypassed the wallet's normal release review process entirely. By exploiting this access, they uploaded a tampered extension build that passed Chrome's automated review and was made available to users. The compromised code siphoned sensitive information from every wallet linked to the extension.

In response, Trust Wallet revoked all publishing credentials and immediately released a clean build (version 2.69). The company urged users to upgrade and transfer funds out of potentially compromised wallets. Trust Wallet also launched a reimbursement process for confirmed victims. It warned that fraudulent claims and scams might arise in the aftermath of the incident.

The Chrome extension is a hot wallet interface. It lets users interact with decentralized applications (dApps), manage multiple blockchain assets, and authorize blockchain transactions. Because of its privileged position — with access to wallet data — any compromise in the extension's integrity puts user funds at risk.

On December 24, 2025, Trust Wallet's version 2.68 was released. It contained malicious JavaScript code hidden in its bundled files. This code was designed to exfiltrate sensitive wallet data, particularly the seed phrases that serve as the "master key" to a user's cryptocurrency assets. Once a user logged into the extension with this version installed, the code scraped and transmitted seed phrases to attacker-controlled infrastructure. This effectively gave attackers full control over users' wallets.

Trust Wallet only confirmed the breach after widespread reports on social media and warnings from security analysts. Users learned their funds were being drained shortly after extension interactions. Trust Wallet's founder Changpeng Zhao (CZ) said the company would cover user losses under its "SAFU" (Secure Asset Fund for Users) protection policy. However, precise figures were initially unclear.

Further investigation showed that attackers also ran phishing campaigns in parallel with the extension compromise. These campaigns directed users to spoofed sites that impersonated Trust Wallet, allowing them to harvest more seed phrases. Security investigators linked the malicious extension's behavior to domains registered specifically for exfiltrating wallet credentials.

Trust Wallet's community update confirmed that only users of version 2.68 who logged in between December 24 and December 26, 2025, were affected by the breach. Mobile app users and those on other extension versions were not impacted. However, the attack's reach was significant because of the large number of Chrome extension users.

Shai-Hulud Refresher

The Shai-Hulud supply chain campaign, sometimes stylized Sha1-Hulud, emerged in late 2025 as a striking example of how software dependency ecosystems can be weaponized. It leveraged NPM, a repository of JavaScript libraries used by millions of developers worldwide, to systematically infiltrate developer environments.

Shai-Hulud 2.0 was a self-propagating worm that infected hundreds of NPM packages. It spread rapidly by appending malicious payloads. These payloads harvested environment variables, cloud credentials, CI/CD secrets, and other sensitive developer artifacts. Analysts traced thousands of compromised packages and tens of thousands of new GitHub repositories containing stolen secrets.

According to cybersecurity researchers at Wiz, the Shai-Hulud incident was not a one-off breach. Instead, it was an evolving threat that stayed active longer than other worm-style supply chain attacks. Although mitigation efforts reduced infection rates, new compromised repositories continued to emerge months after the first outbreak.

Wiz's post-incident analysis highlighted several key observations about the campaign's behavior and impacts:

• Infection Trends: Shai-Hulud continued to create compromised artifacts even after containment efforts, indicating sustained activity and resilience.
• Victimology: Most of the compromised resources were tied to Linux environments and automated CI/CD runners, reflecting the deep integration of NPM dependencies in development pipelines.
• Leaked Secrets: The worm's payload exfiltrated vast quantities of credentials, including NPM tokens and GitHub secrets, many of which remained valid and posed ongoing risks for further exploitation.

Experts warn that this attack shows the systemic dangers of insecure or poorly vetted software dependencies. This is especially true in large ecosystems like NPM, where even minor packages can have cascading effects. The campaign also demonstrated how credential-harvesting can indirectly compromise high-value targets, such as cryptocurrency infrastructure.

Industry commentators have highlighted several lessons from Shai-Hulud and the Trust Wallet incident. First, developers and organizations must adopt stronger credential hygiene and regular rotation to limit fallout from leaks. Second, they need more rigorous supply chain security tools, including automation to scan for malicious or strange packages. These measures can catch compromised dependencies before they propagate.

Ultimately, the incident highlighted the unique vulnerabilities of browser-based wallet extensions in the cryptocurrency space. When extension code is compromised, seed phrases and private keys can be exposed, putting user funds at high risk.

Following the Shai-Hulud campaigns, the industry began working to strengthen NPM security practices, enhance incident response, and share intelligence about new threats more quickly. Discussions among security professionals now reflect not just the technical challenges of supply chain defense, but also the economic and trust concerns for users navigating decentralized technologies.