David Brooks
A Worm With a Sci-Fi Name
My verdict is clear: the Shai-Hulud attack is one of the most sophisticated security incidents we've seen in the crypto ecosystem.
I won't sugarcoat it: if you used Trust Wallet's Chrome extension between December 24-26, 2025, your funds are very likely compromised.
The name "Shai-Hulud" comes from the giant sandworms in Frank Herbert's Dune saga. And the analogy is perfect: this malware moved beneath the surface of the software ecosystem, invisible, until it emerged to devour $8.5 million in crypto assets.
After weeks of investigating this case, I can tell you exactly what happened, how the attack worked, and—most importantly—how to protect yourself so this doesn't happen to you.
Attack Timeline: From September to Christmas Eve
Phase 1: Silent Infection of the npm Ecosystem
The attack began months before the theft. If you ask me directly, this wasn't opportunistic; it was an operation planned with military precision.
| Date | Event |
|---|---|
| Sep 16, 2025 | First Shai-Hulud detection. Infects 187+ npm packages, including several from CrowdStrike |
| Nov 2025 | Shai-Hulud 2.0: 640+ npm packages compromised. 33,185 unique secrets exposed across 20,649 repositories |
| Nov 24, 2025 | Attack peaks: 25,000+ malicious repositories created on GitHub |
| Dec 8, 2025 | Attackers register domain metrics-trustwallet[.]com |
| Dec 21, 2025 | First requests to command and control server |
| Dec 24, 2025, 12:32 UTC | Malicious extension v2.68 published to Chrome Web Store |
| Dec 25, 2025 | Trust Wallet detects the attack and issues emergency alert |
| Dec 26, 2025, 11:00 UTC | Extension removed. Clean version 2.69 published |
| Jan 2026 | Trust Wallet confirms $8.5M stolen. Initiates reimbursement process |
Phase 2: The Christmas Eve Strike
The attackers chose the perfect moment: Christmas Eve. Reduced security teams, diverted attention, maximized response time.
With credentials stolen during months of silent infection, they published a malicious version of the Trust Wallet extension directly to the Chrome Web Store. They bypassed all internal controls because they had the keys to the kingdom.
Extension v2.68 looked identical to the legitimate one. But under the hood, every time a user unlocked their wallet, the malicious code would:
- Iterate through all configured wallets
- Extract seed phrases
- Disguise them as "error telemetry"
- Send them to the attacker's server using PostHog as a channel
Ingenious and terrifying in equal measure.
Technical Deep-Dive: A Three-Layer Attack
Layer 1: The npm Worm
Shai-Hulud isn't conventional malware. It's a self-replicating worm that spreads through the npm registry.
The process was diabolically simple:
- Initial infection: The malware injected itself into the pre-installation phase of popular npm packages
- Secret scanning: Used TruffleHog to search for API tokens, cloud credentials (AWS, GCP, Azure), and npm tokens
- Exfiltration: Stolen secrets were published to public GitHub repositories named "Shai-Hulud"
- Self-propagation: With stolen npm tokens, the malware authenticated and published infected versions of other packages from the same maintainer
Result: 800+ npm packages compromised, 400,000 secrets exposed.
Layer 2: Trust Wallet Compromise
During Shai-Hulud 2.0 in November, attackers obtained:
- Access to the extension's source code
- The Chrome Web Store API key
- Deployment credentials
With this in hand, they just needed to wait for the optimal moment.
Layer 3: Mass Theft
The malicious code in v2.68 was elegant in its simplicity. It activated on every wallet unlock—not just when importing a seed phrase—which maximized victims.
Seed phrases were sent disguised as errorMessage in telemetry, using the PostHog library as an exfiltration channel. To any superficial analysis, it looked like legitimate error traffic.
The Impact: Numbers of Disaster
| Metric | Value |
|---|---|
| Affected wallets | 2,520 confirmed addresses |
| Total amount stolen | ~$8.5 million USD |
| Approximate breakdown | ~$3M Bitcoin, ~$3M+ Ethereum, $431 Solana |
| Attacker wallets | 17 addresses identified |
| Affected version | Trust Wallet Browser Extension v2.68 only |
| Risk period | December 24-26, 2025 |
| Extension users | ~1 million (all urged to update) |
But Shai-Hulud's impact extends beyond Trust Wallet:
- 800+ npm packages infected
- 27,000+ malicious packages added to npm
- 400,000 secrets exposed
- 60%+ of leaked npm tokens still valid weeks later
- Affected organizations: Trust Wallet, CrowdStrike, Zapier, PostHog, Postman
Trust Wallet's Response: Was It Enough?
Immediate Actions
Trust Wallet reacted with reasonable speed once the attack was detected:
- Rollback of compromised extension and publication of clean v2.69
- Disabled publishing access and API credentials
- Reported malicious domain to NiceNIC (which suspended it)
- Expired all release APIs for 2 weeks
- Coordinated with blockchain analysts to track stolen funds
About Reimbursements
Trust Wallet committed to voluntarily reimburse all affected users. The claims portal is at be-support.trustwallet.com.
But there's a problem: they received 5,000+ claims for 2,520 affected wallets. The difference consists of duplicates, errors, and—inevitably—scammers trying to take advantage.
Trust Wallet is developing a verification tool in v2.70 to validate legitimate claims.
Insider or Nation-State?
Two theories are circulating:
Theory 1: State actor. Trust Wallet publicly suggested it could be a "nation-state actor." The attack's sophistication, months of planning, and prepared infrastructure point in that direction.
Theory 2: Insider. Changpeng Zhao (CZ), Binance founder (Trust Wallet's owner), hinted that it was "very likely" an insider. The infrastructure was prepared 2+ weeks in advance: "This wasn't opportunistic. It was planned."
Shai-Hulud 3.0: The Threat Continues
If you thought this was over, I have bad news.
In January 2026, researcher Charlie Eriksen from Aikido detected a third variant in the package @vietmoney/react-big-calendar @0.26.2.
Shai-Hulud 3.0 features:
- Greater string obfuscation
- Better error handling
- Improved Windows compatibility
- Focused on increasing campaign longevity
Experts believe this was a "test deployment," not an active attack. But the warning is clear: Shai-Hulud is still alive, and a fourth wave could be in development.
How to Protect Your Cryptocurrency: 7 Essential Measures
After months analyzing this case, here are my recommendations:
1. Use Hardware Wallets for Large Holdings
Ledger, Trezor, and similar devices store your keys offline. It doesn't matter how many malware infect your browser: if the keys never touch the internet, they can't be stolen.
My direct recommendation: If you have more than $1,000 in crypto, invest $80-150 in a hardware wallet. The ROI is infinite if you avoid a single hack.
2. Distrust Browser Extensions
Browser wallets are inherently insecure. The browser context is a minefield: malicious extensions, phishing attacks, zero-day vulnerabilities.
Wallet functionality belongs in:
- Dedicated mobile apps
- Hardware wallets
- Desktop software (not extensions)
3. Implement Update "Cooldown"
Delay extension updates 48-72 hours. Let the security community detect problems first.
This would have saved Trust Wallet victims: the malicious extension was active for only ~35 hours.
4. Enable Strong 2FA
Use WebAuthn (physical security keys) or authenticator apps like Aegis or Authy. Never SMS: it's vulnerable to SIM-swap attacks.
5. Protect Your Seed Phrase Offline
Never store your seed phrase online. Not in notes, emails, cloud photos, or password managers.
Write it down physically and store it in a secure location. Consider fire-resistant metal plates for large amounts.
6. Diversify Storage
Don't keep everything in one place. Combine:
- Hardware wallet (main holdings)
- Paper wallet (cold backup)
- Exchange (only liquidity you need)
7. Act Fast on Suspicion
If you suspect your wallet is compromised:
- Disconnect the device from the network immediately
- From another clean device, transfer funds to a new wallet
- Then investigate what happened
The order is critical: move funds first, investigate later.
For Developers: Protecting the Supply Chain
If you're a developer, the Shai-Hulud attack is a wake-up call:
Use npm Trusted Publishing
Instead of tokens, configure trusted publishing. Eliminate long-lived credentials that can be stolen.
Require 2FA for Publishing
npm allows enforcing 2FA for all publishing actions. Enable it.
Audit Dependencies Regularly
Tools like Socket.dev, Snyk, or npm audit can detect compromised packages.
Rotate Credentials at Any Suspicion
If there's any indication of exposure, rotate everything immediately. Don't wait to confirm the compromise.
How to Check If You Were Affected
Trust Wallet Users
- Check the version: If you used the Chrome extension between December 24-26, 2025, you could be affected
- Review your transactions: Look for unauthorized transfers in your history
- Official portal: If affected, file a claim at
be-support.trustwallet.com
Warning Signs
- Transactions you don't recognize
- Reduced balances without explanation
- "Support" emails asking for information (they're scams)
WARNING: Trust Wallet alerts that malicious actors are impersonating support accounts, sending fake compensation forms, and running scams via Telegram. The only legitimate portal is the official one.
FAQs: Common Questions About the Hack
Were all Trust Wallet versions affected?
No. Only the Chrome extension version 2.68, published on December 24, 2025. The iOS and Android mobile apps were not compromised. If you only use the mobile app, your funds are safe.
Will Trust Wallet reimburse everyone?
They committed to doing so voluntarily, but the process is ongoing. They're verifying claims to filter out fraud. If you were legitimately affected, submit your case on the official portal and be patient.
Should I stop using Trust Wallet?
Not necessarily. The problem was a supply chain attack, not an inherent Trust Wallet flaw. That said, consider diversifying: don't put all your eggs in one basket. A hardware wallet for main holdings remains the safest option.
How do I know if my npm packages are compromised?
Use analysis tools like Socket.dev or Snyk. You can also search the database of compromised packages that CISA and Microsoft have published. If you use any of the 800+ affected packages, audit your code immediately.
What is a supply chain attack?
It's when attackers compromise a software component that other projects use as a dependency. Instead of attacking Trust Wallet directly, they infected npm packages that Trust Wallet developers used. When those packages were installed, the malware activated. It's like poisoning the water supply instead of poisoning each person individually.
Conclusion: Lessons From the Sandworm
The Shai-Hulud attack leaves us with several lessons:
1. The software supply chain is fragile. A single compromised npm package can cascade to thousands of projects. The industry needs better verification tools and less implicit trust.
2. Browser extensions are attack vectors. If you can avoid them for critical functionality (like handling money), avoid them.
3. Timing matters. The attackers chose Christmas Eve for a reason. Security teams need coverage even on holidays.
4. Preparation beats reaction. Victims who had hardware wallets or didn't use the Chrome extension lost nothing. The best defense is not being exposed.
And perhaps the most important lesson: in crypto, you are your own bank. That means freedom, but also total responsibility. No one is going to protect your funds for you.
The sandworms of Arrakis were inevitable. But in the software world, with the right precautions, you can avoid being devoured.
