Trust Wallet revealed that its Google Chrome extension was compromised through the second iteration of the Shai-Hulud supply chain attack in November 2025, resulting in approximately $8.5 million in stolen assets. The attack exposed Trust Wallet's developer GitHub secrets, giving attackers access to the browser extension source code and Chrome Web Store API key. With full API access, the attackers uploaded malicious builds directly without Trust Wallet's standard release process.
The supply chain compromise demonstrates the growing sophistication of crypto-targeted attacks, where hackers infiltrate development workflows rather than exploiting smart contract vulnerabilities. This incident highlights the critical importance of securing developer environments and implementing robust CI/CD security measures. Users were advised to immediately update their extensions and review wallet permissions.