Trust Wallet has confirmed that its Google Chrome extension was compromised in a second iteration of the Shai-Hulud supply chain attack, which occurred in November 2025. The breach ultimately resulted in the theft of approximately $8.5 million in cryptocurrency assets from 2,520 wallet addresses. According to a post-mortem shared by the company, attacker access was gained after Developer GitHub secrets were exposed, providing access to both the browser extension source code and the Chrome Web Store API key. This allowed the threat actor to upload malicious builds without Trust Wallet’s standard internal approval and manual review processes.
Following the breach, the attacker registered the domain “metrics-trustwallet[.]com” and deployed a trojanized version of the extension containing a backdoor capable of harvesting users’ wallet mnemonic phrases. Cybersecurity company Koi reported that the malicious code activates every time a wallet is unlocked, rather than only during seed phrase imports. The code captures data across all wallets in an account and stores seed phrases in a field labeled errorMessage within what appears to be standard unlock telemetry. Researchers noted that even wallets protected by passwords or biometric authentication were affected, highlighting the scale of the compromise.
The malicious domain used by the attacker, resolving to IP address 138.124.70.40, is hosted on Stark Industries Solutions, a bulletproof hosting provider incorporated in the U.K. in early 2022. Koi noted that the infrastructure was staged over two weeks before the malicious update went live on December 24, 2025, indicating a well-planned operation rather than an opportunistic attack. Adding to the signature of the campaign, querying the server returned the response “He who controls the spice controls the universe,” a reference also observed in the previous Shai-Hulud npm supply chain incident. Trust Wallet had already urged roughly one million users to update to version 2.69 after the malicious update was distributed to the Chrome Web Store.
To mitigate the impact of the incident, Trust Wallet has launched a reimbursement claim process for affected users, with reviews handled on a case-by-case basis to prevent fraud and differentiate victims from potential malicious actors. The company has also strengthened monitoring and controls for its release processes to prevent similar breaches in the future. Trust Wallet described Shai-Hulud as an industry-wide supply chain attack affecting multiple sectors, leveraging trusted software dependencies to infiltrate organizations rather than targeting them directly. Security researchers note that Shai-Hulud 3.0 has emerged with enhanced obfuscation, improved reliability, and broader compatibility, continuing its focus on harvesting developer secrets while maintaining the same exploitation techniques as previous iterations.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
