Nearly $8.5M pilfered from Trust Wallet in Shai Hulud malware attack

Trust Wallet, a multi-chain non-custodial cryptocurrency wallet, had almost $8.5 million worth of digital assets drained from 2,520 cryptocurrency wallets following an npm supply chain attack involving the self-replicating Shai Hulud 2.0 malware, according to SecurityWeek.

Malicious actors who obtained Trust Wallet's Developer GitHub secrets following the supply chain intrusion were able to access the wallet's source code and Chrome Web Store API key, enabling the creation and release of a trojanized version of its Chrome browser extension that allowed the exfiltration of sensitive wallet details for fraudulent transactions, said Trust Wallet. Trust Wallet, which also noted the compromise of unrelated wallet addresses, has pledged to refund all impacted individuals, as it urged users to adopt version 2.69 of its Google extension.

Such a development comes as Aikido researchers reported the emergence of Shai Hulud 3.0, which was said by Upwind analysts to feature the same core mechanism as previous iterations but allowed wiper execution in the absence of exploitable GitHub or npm tokens.