Trust Walletβs web browser extension was compromised through an attack involving stolen developer secrets, resulting in over $8.5 million in crypto theft from more than 2,500 wallets. This incident is linked to the widespread Sha1-Hulud supply chain attack targeting npm packages and GitHub repositories. #TrustWallet #Sha1Hulud
Keypoints
- The Trust Wallet extension was hijacked using a malicious JavaScript file inserted into version 2.68.0.
- The attackers exploited leaked GitHub secrets and Chrome Web Store API keys to publish malicious updates.
- Malicious domains hosted code used for stealing wallet data and facilitating unauthorized transactions.
- The Sha1-Hulud malware campaign compromised numerous npm packages to harvest developer secrets and API keys.
- Trust Wallet responded by revoking APIs, suspending malicious domains, and alerting users to scams and impersonations.