Trust Wallet Chrome extension: when supply-chain access meets the Chrome Web Store API

Trust Wallet published a post-mortem describing how its Chrome extension was compromised in late 2025, with reporting linking the incident to the broader Shai-Hulud / Sha1-Hulud software supply-chain activity that hit many orgs via developer tooling, not only crypto.

The company stated that GitHub secrets were exposed, giving attackers access to extension source and the Chrome Web Store (CWS) API key. With full API access, an attacker could upload builds without Trust Wallet’s normal internal approval—so a malicious package could ship as a legitimate-looking version bump to users who auto-update.

What the bad update reportedly did

Coverage summarized Trust Wallet and Koi Security findings around version 2.68 (malicious) pushed December 24, 2025, and a clean 2.69 urged for roughly one million extension users.

The trojanized build was said to phone home to infrastructure under metrics-trustwallet.com (exfiltration host under api.metrics-trustwallet.…). Koi researchers Oren Yomtov and Yuval Ronen described behavior that ran on every wallet unlock, not only during seed import—so password- or biometric-unlock flows could still leak mnemonics. The logic was reported to iterate all wallets in the profile, not only the active one, and to hide seed material inside fields that resemble benign unlock telemetry (for example an errorMessage-style payload on an analytics-shaped event)—making casual review easy to misread.

Reporting cited on-chain impact on the order of ~$8.5 million drained from thousands of addresses into a small set of attacker-controlled wallets, with reimbursement claims opened by the vendor afterward.

Why this is a supply-chain story first

The failure mode is not “user pasted a seed into a fake site.” It is:

• Secrets in CI / GitHub that gate release and signing.
• Store API keys that are effectively ship-to-production credentials.
• Auto-update turning a brief compromise into mass distribution.

Shai-Hulud as a campaign name marks dependency and pipeline compromise across sectors; wallet extensions are a high-value target because one successful upload reaches everyone on the channel.

What users can actually do

• Update immediately to the vendor-confirmed fixed extension version and verify the publisher on the Chrome Web Store before trusting balances.
• Rotate or migrate wallets if you ever ran the known bad build window—follow only official Trust Wallet channels for claim and recovery steps.
• Separate “hot” browser wallets from long-term savings; hardware or offline setups reduce single-point extension risk.
• For builders: treat CWS API keys like root—short-lived, monitored uploads, MFA, and break-glass if secrets touch npm/GitHub blast radius.

Practical next step

If you use any crypto extension, open Extensions, confirm version and publisher ID against the vendor’s security advisory, and remove duplicates. eSafe can help you see permissions and risk signals in one place.

Go deeper

Analyze an extension before you install → — permissions, publisher signals, and update history.

Report: The Hacker News.