Trust Wallet Ties $8.5M Crypto Theft to NPM Attack
▼ Summary
– Trust Wallet’s web browser extension was compromised, leading to the theft of roughly $8.5 million from over 2,500 crypto wallets, likely linked to an industry-wide “Sha1-Hulud” attack.
– The attackers added a malicious JavaScript file to version 2.68.0 of the Chrome extension by using exposed GitHub developer secrets and a leaked Chrome Web Store API key.
– This allowed the attacker to publish a trojanized extension version directly to the store, bypassing Trust Wallet’s internal approval and review processes.
– In response, Trust Wallet revoked release APIs, had malicious domains suspended, and has begun reimbursing affected users while warning of ongoing impersonation scams.
– The related Sha1-Hulud campaign was a large-scale npm supply chain attack that compromised hundreds of packages to steal and leak hundreds of thousands of developer secrets and API keys.
A significant security breach at Trust Wallet, a leading cryptocurrency platform with a user base exceeding 200 million, has been linked to a widespread software supply chain attack. The incident, which occurred in late December, led to the theft of approximately $8.5 million in cryptocurrency from more than 2,500 digital wallets. The company’s investigation points to the “Sha1-Hulud” malware campaign that targeted the npm software registry in November as a likely source of the initial compromise.
The theft unfolded after attackers managed to insert a malicious JavaScript file into version 2.68.0 of Trust Wallet’s official Chrome browser extension. This corrupted file was designed to harvest sensitive wallet information, enabling the criminals to initiate and authorize fraudulent transactions. According to a company update, the breach began when developer secrets stored on GitHub were exposed. This access allowed the threat actor to obtain the wallet extension’s source code and, critically, a key for the Chrome Web Store API.
With this leaked API key in hand, the attackers gained the ability to upload new builds directly to the Chrome Web Store, completely bypassing Trust Wallet’s standard internal review and approval protocols. They then registered deceptive domains, including metrics-trustwallet.com, to host malicious code. This code was subsequently embedded into a trojanized version of the extension, built using the stolen source code. The malicious update, version 2.68, was then published to the official store and automatically released to users.
In response to the attack, Trust Wallet took swift action to mitigate further damage. The company revoked all release API keys to prevent new malicious versions from being published. They also reported the fraudulent domains to the NiceNIC registrar, which promptly suspended them, cutting off the attackers’ ability to exfiltrate more data. Furthermore, Trust Wallet has begun the process of reimbursing affected users and has issued warnings about ongoing impersonation scams. Threat actors are currently posing as official support staff on platforms like Telegram, promoting fake compensation forms to exploit victims a second time.
This breach is connected to the broader “Sha1-Hulud” campaign, a sophisticated supply chain attack focused on the npm registry. The campaign, which saw a major resurgence in November, involved threat actors injecting malicious code into thousands of npm packages. This code was specifically crafted to steal developer credentials, API keys, and other sensitive secrets, which were then often published publicly on GitHub. Security researchers from Wiz noted that attackers are refining these credential-harvesting operations, and they anticipate continued attacks leveraging both similar techniques and the vast trove of credentials already stolen.
(Source: Bleeping Computer)
