"Trust Wallet on Tuesday revealed that the second iteration of the Shai-Hulud (aka Sha1-Hulud) supply chain outbreak in November 2025 was likely responsible for the hack of its Google Chrome extension, ultimately resulting in the theft of approximately $8.5 million in assets. "Our Developer GitHub secrets were exposed in the attack, which gave the attacker access to our browser extension source code and the Chrome Web Store (CWS) API key," the company said in a post-mortem published Tuesday."
"The first wallet-draining activity was publicly reported a day after the malicious update. Trust Wallet has since initiated a reimbursement claim process for impacted victims. The company noted that reviews of submitted claims are ongoing and are being handled on a case-by-case basis. It also stressed that processing times may vary with each case due to the need to distinguish between victims and bad actors, and further protect against fraud."
Developer GitHub secrets were exposed, giving attackers access to browser extension source code and the Chrome Web Store API key. The leaked key allowed direct uploads of builds, bypassing Trust Wallet's internal approval and manual review processes. The attacker registered metrics-trustwallet[.]com and pushed a trojanized extension with a backdoor that harvested mnemonic phrases and exfiltrated them to api.metrics-trustwallet[.]com. A malicious update (version 2.68) was pushed on December 24, 2025, prompting an update to version 2.69. Approximately $8.5 million was drained from 2,520 wallets into at least 17 attacker-controlled addresses, and a reimbursement claims process is underway with case-by-case reviews to prevent fraud.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]