Trust Wallet Theft Linked to Shai-Hulud Supply Chain Attack

What happened

The Trust Wallet theft in late December 2025 was linked to an industry-wide Shai-Hulud  attack in November. The attackers published a malicious version (v2.68) of the Trust Wallet Chrome browser extension that stole cryptocurrency from users’ wallets by harvesting sensitive wallet data and enabling unauthorized transfers. The breach affected over 2,500 wallets and resulted in roughly $8.5 million in stolen assets. Trust Wallet traced the compromise to exposed Developer GitHub secrets that allowed attackers to access the extension’s source code and Chrome Web Store API key, bypassing the normal release process. 

Who is affected

Users of the Trust Wallet Chrome browser extension who installed or updated to the compromised version 2.68 between December 24 and December 26, 2025 were at risk. The malicious extension siphoned seed phrases and other sensitive data, enabling attackers to drain funds across multiple blockchain networks, including Ethereum, Bitcoin, and Solana. Trust Wallet has urged affected users to update to the secure version 2.69 and has started a reimbursement process, while warning of ongoing phishing scams that exploit the incident. 

Why CISOs should care

This breach underscores the critical dangers of supply chain vulnerabilities in widely used software components such as browser extensions and npm packages. The Shai-Hulud supply chain attack, which exposed developer secrets industry-wide, provided the initial foothold that enabled the Trust Wallet compromise. For CISOs, this highlights how leaks of developer credentials and insecure CI/CD processes can cascade into large-scale financial and reputational damage, even for established platforms with large user bases. 

3 practical actions

1. Secure Developer Secrets: Implement secret vaults, strict access controls, and automated rotation for API keys, GitHub tokens, and other credentials to reduce the risk of exposure through supply chain attacks.

2. Harden Software Supply Chains: Enforce rigorous code reviews, dependency scanning, and integrity checks within CI/CD pipelines to detect malicious or tampered packages before release.

3. Monitor & Respond: Deploy real-time monitoring for anomalous extension updates and marketplace submissions, and prepare incident response plans that include rapid rollback and user notification procedures for compromised releases.