The Trust Wallet Chrome extension hack in late 2025 was a sophisticated supply chain attack tied to the Shai-Hulud malware campaign, which targets developer environments to compromise trusted software dependencies. Attackers obtained leaked GitHub secrets from Trust Wallet developers, including the Chrome Web Store (CWS) API key, enabling them to bypass the normal release process and push a malicious extension update (version 2.68) directly to the Chrome Web Store. This trojanized extension contained a backdoor that harvested users' wallet mnemonic phrases by sending them to attacker-controlled domains such as "metrics-trustwallet[.]com" and its subdomains. The breach resulted in the theft of approximately $8.5 million in cryptocurrency from 2,520 wallet addresses, consolidated into at least 17 attacker-controlled wallets. The Shai-Hulud campaign is an industry-wide supply chain attack vector that compromises developer tooling to inject malicious code, affecting multiple sectors beyond crypto. Trust Wallet responded by urging users to update to a clean extension version (2.69), initiating reimbursement claims, and enhancing monitoring and controls around their release processes. The attack underscores the dangers of exposed developer secrets and the criticality of securing software supply chains, especially for browser extensions handling sensitive cryptographic assets. The Shai-Hulud malware continues evolving with improved obfuscation and reliability to maintain persistence and evade detection, emphasizing the ongoing threat to developer environments and downstream users.

For European organizations and users, the Trust Wallet Chrome extension compromise poses significant financial risks due to direct theft of cryptocurrency assets. Organizations relying on Trust Wallet for crypto transactions or asset management could suffer monetary losses and operational disruptions. The breach also undermines user trust in browser-based crypto wallets, potentially affecting adoption and usage in Europe’s growing digital asset markets. The attack highlights vulnerabilities in software supply chains, which could be exploited to compromise other critical applications used by European enterprises. Additionally, the exposure of developer secrets and the ability to push unauthorized updates can lead to widespread distribution of malicious code, increasing the attack surface. Regulatory and compliance implications may arise, especially under GDPR and emerging EU cybersecurity directives, due to potential data breaches and inadequate security controls. The incident serves as a cautionary example for European organizations to scrutinize third-party software dependencies and enforce stringent security practices around developer environments and release pipelines.

European organizations and Trust Wallet users should immediately update to the latest, verified extension version (2.69 or later) to remove the trojanized code. Developers must enforce strict secret management policies, including storing API keys and credentials in secure vaults rather than code repositories, and rotating keys regularly. Implement multi-factor authentication (MFA) for all developer accounts and access to release pipelines to prevent unauthorized access. Employ code signing and automated integrity checks to detect unauthorized modifications before deployment. Monitor Chrome Web Store accounts for unusual activity and restrict API key permissions to the minimum necessary. Conduct regular audits of developer environments and dependencies to identify potential compromises early. Establish incident response plans specifically for supply chain attacks, including rapid revocation of compromised keys and communication protocols for affected users. European organizations should also consider using endpoint detection and response (EDR) tools to detect suspicious activity related to wallet mnemonic phrase exfiltration. Finally, promote user awareness campaigns to educate about risks of malicious extension updates and encourage verification of extension authenticity.