Trust Wallet has confirmed that hackers managed to publish a malicious update to its Chrome browser extension after it passed the Chrome Web Store review process.
The compromised version, labeled 2.68, was automatically released, allowing attackers to bypass Trust Wallet’s internal approval systems. As a result, the harmful update became available to users before the issue was detected.
After discovering the incident, Trust Wallet immediately revoked all release-related APIs to prevent any further unauthorized updates. The company also acted to stop additional data theft by reporting the malicious domains used in the attack to the NiceNIC registrar, which suspended them shortly after.
Trust Wallet said it has started reimbursing affected users and warned the community to stay alert, as attackers are now impersonating official Trust Wallet support accounts. These fake accounts are spreading scam links, including false compensation forms, and are actively promoted through Telegram advertisements.
The incident comes as security researchers continue to investigate the Shai Hulud malware campaign, a large-scale supply chain attack targeting the npm software registry. Npm hosts more than two million software packages used by developers worldwide.
The first wave of the attack appeared in early September, when attackers compromised more than 180 npm packages using a self-propagating payload. The malware was designed to steal developer secrets and API keys, which were later extracted using automated tools.
The second phase, known as Shai Hulud 2.0, expanded rapidly and affected more than 800 packages. Attackers added over 27,000 malicious packages to the npm registry, embedding code that collected developer and CI CD secrets and published them publicly on GitHub.
Researchers estimate that around 400,000 sensitive secrets were exposed across tens of thousands of GitHub repositories, with a majority of stolen npm tokens still active as of early December.
Security experts warn that attackers are becoming more skilled at abusing trusted developer platforms like npm and GitHub. Researchers say the success of these attacks shows how vulnerable software supply chains remain and expect similar campaigns to continue, using both new techniques and previously stolen credentials.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
