TL;DR: The Trust Wallet Chrome browser extension was compromised on Christmas Eve 2025 through a supply chain attack. The "Sha1-Hulud" self-replicating worm, which had been spreading through the NPM package registry, stole developer GitHub credentials, including Trust Wallet's Chrome Web Store API key. Attackers published a malicious version 2.68 that stole seed phrases. 2,520 wallet addresses were compromised, losing approximately $8.5 million. Trust Wallet has released a patched version and pledged to reimburse all affected users. If you used the Chrome extension between December 24-26, 2025, assume your wallet is compromised.

What Happened

On December 24, 2025 (Christmas Eve) attackers published a malicious version of the Trust Wallet Chrome browser extension:[1]

  • December 24, 2025: Malicious version 2.68 published to Chrome Web Store
  • December 24-26: Users who logged into the extension had seed phrases stolen
  • December 26: Trust Wallet discovered the breach and removed the malicious version
  • December 27: Patched version 2.69 released

The attackers didn't need to break Trust Wallet's security directly. They compromised the software supply chain and walked right in.[2]

The Sha1-Hulud Worm

The attack traces back to the "Sha1-Hulud" (also called "Shai-Hulud 2.0") self-replicating worm that began targeting the NPM package registry in November 2025:[3]

NPM Infection

The worm spreads through malicious packages in NPM, waiting for developers to install them.

Credential Theft

Once on a developer's machine, it steals GitHub secrets, API keys, and authentication tokens.

Self-Replication

The worm publishes more malicious packages using stolen credentials, spreading to more developers.

Supply Chain Attack

Stolen credentials let attackers publish malicious versions of legitimate software, like Trust Wallet.

The attackers obtained Trust Wallet's GitHub secrets and Chrome Web Store API key. With these, they bypassed normal release controls and pushed malicious code directly to users.[2]

How the Attack Worked

The malicious version 2.68 of Trust Wallet's Chrome extension contained code designed to:[4]

  1. Intercept seed phrases when users logged in
  2. Exfiltrate the phrases to attacker-controlled servers
  3. Allow attackers to recreate wallets and drain funds

Because seed phrases give complete control over a crypto wallet, anyone who logged in during the attack window lost everything in their wallet. The stolen funds were traced to 17 attacker-controlled wallet addresses.[1]

The Damage

  • 2,520 wallet addresses confirmed compromised[1]
  • $8.5 million stolen (some sources report $7 million)[4]
  • 48-hour window of active exploitation (December 24-26)
  • Unknown how many users haven't yet realized they're affected

Trust Wallet's mobile apps were not affected, only the Chrome browser extension. But if you use both and logged into the Chrome extension during the attack window, your seed phrase is compromised.[5]

Trust Wallet's Response

Trust Wallet has taken several steps:[5]

  • Released patched version 2.69
  • Revoked compromised release APIs
  • Reported malicious domains to registrars
  • Pledged to fully reimburse all affected users
  • Initiated verification process for claims

The reimbursement pledge is unusual: most crypto platforms disclaim liability for hacks. Whether Trust Wallet follows through, and how quickly, remains to be seen.

The Supply Chain Attack Problem

This isn't the first major supply chain attack on crypto, and it won't be the last:

  • NPM ecosystem: Millions of packages, many poorly maintained, any one of which could be compromised
  • Browser extensions: Auto-update mechanisms mean malicious code reaches users instantly
  • Developer credentials: A single compromised developer can poison software used by millions
  • Trusted publishers: Users trust software from recognized names. Attackers exploit that trust

The supply chain attack trend is accelerating because it works. Instead of attacking millions of users individually, attackers compromise one developer and reach everyone who trusts their software.

What You Should Do

If You Used Trust Wallet Chrome Extension (Dec 24-26)

Assume your wallet is compromised. Move any remaining funds to a new wallet with a new seed phrase immediately. Your old seed phrase is in attacker hands.

Update to Version 2.69+

If you're still using Trust Wallet's Chrome extension, update immediately. Check your version in the extension settings.

File a Claim

Contact Trust Wallet support to file a reimbursement claim if you lost funds. Document everything: transaction hashes, wallet addresses, amounts.

Consider Hardware Wallets

Browser extensions have a larger attack surface than hardware wallets. For significant holdings, hardware wallets provide better security.

The Browser Extension Risk

Crypto browser extensions are convenient. They're also high-risk:

  • Auto-updates: Malicious code reaches you without action on your part
  • Full access: Extensions can read everything you do in the browser
  • Trust model: You trust the developer completely. If they're compromised, so are you
  • Phishing target: Fake extensions regularly appear in browser stores

This attack succeeded because Trust Wallet's extension auto-updated to a malicious version. Users did nothing wrong. They just had the extension installed.

The Bottom Line

The Sha1-Hulud worm demonstrates how supply chain attacks cascade: compromise one developer, steal their credentials, publish malicious code, compromise millions of users.

Trust Wallet is owned by Binance, one of the largest crypto exchanges. If they can be compromised, anyone can. The promise of "trustless" cryptocurrency becomes ironic when you have to trust every piece of software in your stack, and any one of them can be poisoned.

$8.5 million gone in 48 hours. All because someone's development environment got infected with a worm.

References

  1. Kaseya - Week in Breach News: Trust Wallet Supply Chain Attack (January 14, 2026)
  2. Halborn Security - Trust Wallet Supply Chain Breach Analysis
  3. Check Point - Sha1-Hulud Worm NPM Campaign Analysis
  4. Security Week - Trust Wallet Chrome Extension Breach
  5. Trust Wallet - Security Incident Disclosure (December 2025)