Trust Wallet Finally Identifies Culprits Behind $8.5 Million Theft
Attackers spent years laying the groundwork for this stealthy attack.
Attackers spent years laying the groundwork for this stealthy attack.
A major supply chain compromise campaign known as Shai-Hulud has been linked to the recent theft of approximately $8.5 million in cryptocurrency from over 2,500 Trust Wallet users. The company's team concluded that the incident, which occurred in December, was a continuation of a large-scale attack on the npm ecosystem that began last fall.
The investigation determined that the attackers gained access to the source code of the Trust Wallet browser extension for Chrome and its API key for publishing updates. This was made possible by a leak of developer secrets through GitHub, caused by the actions of the Shai-Hulud participants. Using this access, the perpetrators uploaded a malicious version of the extension capable of harvesting sensitive data from users' wallets and conducting unauthorized transactions.
The company also confirmed that domains used in the attacks were specifically registered to distribute the malicious code. The discovered resources were promptly provided to the registrar and blocked to limit the further spread of the threat. Concurrently, Trust Wallet revoked access to all APIs related to releasing new versions of the extension and began compensating users affected by the breach.
The Shai-Hulud campaign, which provided the backdrop for this incident, represents one of the largest known cases of npm package compromise. According to experts, about 180 packages were infected in the initial stage of the attack. Later, upon transitioning to the second phase, the number of malicious libraries exceeded 27,000. These were used to steal developer keys and secrets, with the obtained data being posted to thousands of repositories on GitHub.
In total, approximately 400,000 pieces of confidential data were compromised, including access tokens and CI/CD system keys. A significant portion of them remained active months after the attack. According to research teams, the level of organization and technical sophistication of Shai-Hulud suggests further attempts to exploit npm and GitHub ecosystems, as well as the use of the already collected database of stolen data.
Trust Wallet, which had not previously directly linked the incident to the supply chain attack, now emphasizes that the attackers' actions were part of a broader campaign affecting the wider developer community. This confirms concerns about the consequences of leaks caused by the compromise of open-source infrastructure components.
