Trust Wallet revealed on Tuesday that a second supply chain Shai Huld (also known as Sha1 Huld) outbreak in November 2025 was likely responsible for the hacking of its Google Chrome extension, ultimately resulting in approximately $8.5 million in assets being stolen.
“This attack exposed the secrets of our developer GitHub, allowing the attacker to access our browser extension source code and Chrome Web Store (CWS) API keys,” the company said in a post-mortem published Tuesday.
“Through the compromised keys, the attacker gained full access to the CWS API and was able to upload builds directly without going through Trust Wallet’s standard release process, which requires internal approvals and manual reviews.”
The attackers then allegedly registered the domain ‘metrics-trustwallet’.[.]com” and pushed a trojanized version of the extension to the subdomain “api.metrics-trustwallet” with a backdoor that could collect mnemonic phrases from users’ wallets.[.]com”
This disclosure comes days after Trust Wallet urged approximately 1 million users of its Chrome extension to update to version 2.69 after a malicious update (version 2.68) was pushed to the browser extension marketplace by an unknown threat actor on December 24, 2025.
The security incident ultimately resulted in the exfiltration of $8.5 million in cryptocurrency assets from 2,520 wallet addresses to 17 wallet addresses controlled by the attackers. The first wallet exfiltration activity was publicly reported the day after the malicious update.
Trust Wallet has since initiated a recourse process for affected victims. The company said its review of the submitted claims is ongoing and will be handled on a case-by-case basis. It also emphasized that processing times may vary from case to case, as victims need to be differentiated from malicious actors and additional protection against fraud is required.
To prevent such a breach from occurring again, Trust Wallet said it has implemented additional monitoring and controls related to the release process.
“Sha1-Hulud was an industry-wide software supply chain attack that impacted companies across multiple sectors, including but not limited to cryptocurrencies,” the company said. “This involved the introduction and distribution of malicious code through commonly used developer tools, which allowed attackers to gain access through trusted software dependencies rather than directly targeting individual organizations.”
The disclosure of Trust Wallet coincides with the arrival of Shai-Hulud 3.0, which has enhanced obfuscation and improved reliability, but is still focused on stealing secrets from developers’ machines.
“The main differences are in string obfuscation, error handling, and Windows compatibility, all of which are aimed at extending the lifespan of campaigns rather than introducing new exploitation techniques,” said Upwind researchers Guy Gilad and Moshe Hassan.
Source link
