Ethical Hacking News
The Shai-Hulud supply-chain attack, first disclosed in November 2025, was a devastating breach that compromised Trust Wallet's Chrome extension, allowing hackers to steal sensitive wallet data. The recent incident, which occurred just before Christmas, appears to have been carried out by the same attackers, who used the same tactics and techniques as the original attack. Approximately $8.5 million in crypto assets were stolen, highlighting the vulnerability of software updates and the importance of ensuring that third-party vendors are thoroughly vetted.
Trust Wallet was targeted by a second Shai-Hulud supply-chain attack, resulting in the theft of approximately $8.5 million in crypto assets. The attack compromised Trust Wallet's Chrome extension and allowed hackers to steal sensitive wallet data, including seed phrases and biometric authentication credentials. Malicious code was embedded in Trust Wallet's Chrome extension v2.68 using a leaked API key, which exfiltrated sensitive data from users' wallets. The attack used DNS poisoning to trick users into visiting a malicious website that hosted the stolen wallet data. Trust Wallet has rolled back the compromised Chrome extension and is working with blockchain analytics partners to track stolen funds.
In a recent development that has sent shockwaves through the cryptocurrency community, Trust Wallet has confirmed that it was indeed targeted by a second Shai-Hulud supply-chain attack. The attack, which is believed to have resulted in the theft of approximately $8.5 million in crypto assets, highlights the vulnerability of software updates and the importance of ensuring that third-party vendors are thoroughly vetted.
The Shai-Hulud attack, first disclosed in November 2025, was a devastating breach that compromised Trust Wallet's Chrome extension, allowing hackers to steal sensitive wallet data. The recent incident, which occurred just before Christmas, appears to have been carried out by the same attackers, who used the same tactics and techniques as the original attack.
According to reports from cybersecurity firm Koi, the attackers embedded malicious code in Trust Wallet's Chrome extension v2.68, which was uploaded to the Chrome Web Store using a leaked API key. The malicious code was designed to exfiltrate sensitive data from users' wallets, including seed phrases and biometric authentication credentials.
The attack was carried out with remarkable sophistication, with hackers using a technique called DNS poisoning to trick users into visiting a malicious website that hosted the stolen wallet data. This allowed attackers to collect sensitive information without the user's knowledge or consent.
Trust Wallet has since acknowledged the attack and rolled back the compromised Chrome extension to version 2.69, disabling publishing access and restricting deployments. The company has also coordinated with blockchain analytics partners to track stolen funds and issued guidance to users on how to protect themselves from similar attacks in the future.
The Shai-Hulud supply-chain attack is just one of several high-profile breaches that have targeted Trust Wallet in recent months. The company's vulnerability to these types of attacks highlights the need for greater vigilance and cybersecurity awareness among software developers and users alike.
In a statement, Trust Wallet's developer, Pierluigi Paganini, acknowledged the attack and pledged ongoing updates to protect users from future incidents. "To protect users from confusion or unsafe behaviors, we prioritized replacing the vulnerable browser extension with a safe version before making a public announcement," he said. "So affected users could update securely while minimizing their potential exposure to the hack and lost funds."
The Shai-Hulud supply-chain attack is a stark reminder of the importance of cybersecurity and the need for software developers to take proactive steps to protect against vulnerabilities. As the cryptocurrency market continues to grow and evolve, it's essential that users remain vigilant and take steps to safeguard their assets.
In related news, cybersecurity firm Koi has revealed that malicious code embedded in Trust Wallet extension v2.68 activates on every unlock, not only during seed phrase import. This allowed attackers to exfiltrate sensitive data regardless of whether users authenticated via password or biometrics, and even if the wallet was opened only once after the update.
Furthermore, cybersecurity firm Koi has identified that the malicious code iterated through all wallets in an account, compromising every configured wallet. Seed phrases were covertly embedded in an "errorMessage" field disguised as routine unlock telemetry, making the activity hard to spot in casual reviews.
Data was sent to metrics-trustwallet[.]com, resolving to an IP hosted by Stark Industries Solutions, a bulletproof hosting provider with links to Russian cyber operations.
"The exfiltration domain metrics-trustwallet.com resolved to IP address 138.124.70.40, running nginx/1.24.0 on Ubuntu," reads the report published by cybersecurity firm Koi. "The IP is hosted on Stark Industries Solutions (AS44477), a bulletproof hosting provider based in Ukraine that has previously been associated with cybercriminal infrastructure."
Related Information:
https://www.ethicalhackingnews.com/articles/The-Shai-Hulud-Supply-Chain-Attack-A-Crypto-Heist-of-Epic-Proportions-ehn.shtml
https://securityaffairs.com/186398/hacking/trust-wallet-confirms-second-shai-hulud-supply-chain-attack-8-5m-in-crypto-stolen.html
Published: Thu Jan 1 11:03:41 2026 by llama3.2 3B Q4_K_M
