Trust Wallet Hack: $8.5M Drained via Shai-Hulud Supply Chain Attack

Trust Wallet Chrome Extension Hack

Trust Wallet confirmed a supply chain attack, linked to the Shai-Hulud campaign, compromised its Chrome extension, resulting in the theft of $8.5 million from 2,520 wallets. The attacker gained access through exposed GitHub secrets and used the Chrome Web Store API to deploy a malicious update.

Why This Matters

Ideal software development relies on secure dependencies and robust access controls, but real-world scenarios frequently expose vulnerabilities. The Trust Wallet incident highlights the catastrophic potential of supply chain attacks, where compromised components can lead to significant financial losses; in this case, $8.5 million in stolen cryptocurrency demonstrates the scale of potential damage.

Key Insights

• Shai-Hulud Campaign, 2025: A widespread software supply chain attack targeting multiple sectors, including cryptocurrency.
• GitHub Secrets Exposure: Leaked developer credentials enabled unauthorized access to source code and the Chrome Web Store API.
• Chrome Web Store API Abuse: Attackers bypassed standard release processes by directly uploading malicious builds using the compromised API key.

Practical Applications

• Use Case: Cryptocurrency wallet providers like Trust Wallet must implement stringent security measures for their browser extensions, including robust secret management and release validation.
• Pitfall: Relying solely on automated build and deployment pipelines without sufficient manual review and monitoring can create opportunities for attackers to inject malicious code.

References:

• https://thehackernews.com/2025/12/trust-wallet-chrome-extension-hack.html