In early January 2026, Trust Wallet revealed details of a cyberattack that targeted its popular wallet. According to a report published by the company, the attack was the result of a sophisticated hacking operation involving its development tools, rather than the wallet itself. The attack was linked to the Shai Hulud malware campaign, which targeted development tools and open-source programming environments.
The Attack and Exploiting Development Tools
In its report, Trust Wallet clarified that version 2.68 of the Chrome extension was not just a regular update tampered with after being released, but was a fully compromised version created by the attackers. The hackers used source code stolen from Trust Wallet's GitHub repositories during the Shai Hulud campaign in November 2025. They used this code to develop a fake version of the extension, which contained a backdoor to collect wallet data.
How the Attack Was Executed
- Domain Registration: In December 2025, the attacker registered a domain similar to the official Trust Wallet domain.
- Hosting Malicious Code: The malicious code was hosted on this new domain, and the same source code from GitHub was used to create the new extension version.
- Publishing the Compromised Version: The attacker then submitted the compromised version 2.68 of the extension to the Chrome Web Store using the stolen API key, allowing the update to be published as an “official” update via Google’s automatic review process, without internal verification from Trust Wallet.
Trust Wallet's Response After the Attack
- Release of a Secure Update: Once the attack was discovered, Trust Wallet released a new, secure version of the extension (version 2.69).
- Compensation for Victims: The company announced compensation for affected users and laid out a plan for damage restitution.
- Revocation of API Keys: All API keys used to publish updates on the Chrome Web Store were revoked to prevent any future unauthorized submissions.
- Strengthening Security: The company started reinforcing its security practices, including identity management and publish verification.
Background of the "Shai Hulud" Campaign
The Shai Hulud campaign was a series of attacks that targeted npm packages (open-source JavaScript packages) and stole sensitive data from multiple organizations, including Trust Wallet. The attack exploited legitimate development tools that were being used by companies, enabling the hackers to compromise the system without needing to breach the infrastructure itself.
How to Protect Yourself from Similar Attacks
- Regular Updates: Always update your apps and extensions to the official versions only.
- Review Permissions: Always check the permissions required by any extension or app before installing it.
- Use Multi-Factor Authentication: Secure your accounts on development platforms and other services with multi-factor authentication.
Conclusion
The attack on Trust Wallet highlights the importance of security in open-source development environments and shows how tools that are supposed to be secure can be exploited in sophisticated attacks. Both users and developers must remain aware of the latest security threats and take proactive steps to protect themselves from cyberattacks.