The Worm in the Code: How the Shai-Hulud npm Attack Hijacked Trust Wallet

A large-scale supply chain compromise known as Shai-Hulud has been linked to the recent theft of approximately USD 8.5 million in cryptocurrency from more than 2,500 Trust Wallet accounts. The company’s team has concluded that the December incident was not an isolated event, but rather a continuation of a sweeping attack on the npm ecosystem that began as early as the autumn.

The investigation revealed that the attackers gained access to the source code of the Trust Wallet browser extension for Chrome, along with the API key used to publish updates. This breach was made possible by the leakage of developer secrets through GitHub, a consequence of the Shai-Hulud campaign. Armed with this access, the attackers uploaded a malicious version of the extension capable of harvesting sensitive wallet data and executing unauthorized transactions.

The company also confirmed that the domains involved in the attack were deliberately registered to distribute malicious code. Once identified, these resources were promptly reported to the registrar and taken offline to curb further propagation of the threat. In parallel, Trust Wallet revoked all API access associated with extension releases and initiated compensation for users affected by the breach.

The Shai-Hulud campaign itself stands as one of the most extensive known cases of npm package compromise. According to researchers, the initial phase of the attack infected roughly 180 packages. Following the transition to a second phase, the number of malicious libraries ballooned to more than 27,000. These packages were used to siphon developers’ keys and secrets, with the stolen data subsequently seeded across thousands of GitHub repositories.

In total, approximately 400,000 sensitive credentials were compromised, including access tokens and CI/CD keys, a significant portion of which remained valid for months after the attack. Researchers assess that the level of organization and technical sophistication behind Shai-Hulud points to further attempts to exploit the npm and GitHub ecosystems, as well as the continued misuse of the already amassed trove of stolen data.

Trust Wallet, which had previously stopped short of explicitly attributing the incident to a supply chain attack, now emphasizes that the attackers’ actions were part of a broader campaign affecting a wide swath of the developer community. This acknowledgment underscores longstanding concerns about the far-reaching consequences of breaches stemming from compromised open-source infrastructure components.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy