Shai-Hulud Chrome extension trojanized backdoor with wallet mnemonic theft
Malware Activity
Summary
Hide ▲
Show ▼
The Shai-Hulud supply-chain operation delivered a trojanized Google Chrome extension build with a backdoor that could steal wallet mnemonic phrases, creating a direct path to wallet compromise. The malicious build was pushed through a trusted update channel after release-access abuse, expanding exposure across extension users. The activity matters because mnemonic theft can enable downstream asset draining from affected wallets.
Related Happenings
FakeWallet Apple App Store wallet-stealing apps
Malware Activity
First: 21.04.2026 00:52
Last: 21.04.2026 00:52
Sources 1
About this happening:
The **FakeWallet** app set turned the **Apple App Store** into a delivery channel for **26 malicious wallet lookalikes**, putting crypto holders at risk of account takeover and th...
FakeWallet Apple App Store wallet-stealing apps
Malware ActivityAbout this happening: The **FakeWallet** app set turned the **Apple App Store** into a delivery channel for **26 malicious wallet lookalikes**, putting crypto holders at risk of account takeover and th...
FakeWallet crypto wallet phishing campaign targeting users in China
Campaign
First: 21.04.2026 00:52
Last: 21.04.2026 00:52
Sources 1
About this happening:
The **FakeWallet** campaign is actively distributing **26 malicious apps** that impersonate crypto wallets and steal **seed phrases**, putting **users in China** at immediate risk...
FakeWallet crypto wallet phishing campaign targeting users in China
CampaignAbout this happening: The **FakeWallet** campaign is actively distributing **26 malicious apps** that impersonate crypto wallets and steal **seed phrases**, putting **users in China** at immediate risk...
Latest development: 24.04.2026 14:48
Kaspersky said the FakeWallet campaign is gaining momentum with new tactics, including phishing apps published in the Apple App Store, cold wallet impersonation, and phishing notifications, and suspected it may be the work of threat actors linked to SparkKitty because some infected apps use OCR to steal wallet recovery phrases and the two campaigns share native Chinese-speaking operators and cryptocurrency targeting.
GlassWorm multi-stage data-theft malware evolution
Malware Activity
First: 25.03.2026 16:26
Last: 25.03.2026 16:26
Sources 1
About this happening:
The **GlassWorm** malware family has evolved into a **multi-stage** payload chain that steals browser data and crypto-wallet information, increasing risk for **Windows** and **mac...
GlassWorm multi-stage data-theft malware evolution
Malware ActivityAbout this happening: The **GlassWorm** malware family has evolved into a **multi-stage** payload chain that steals browser data and crypto-wallet information, increasing risk for **Windows** and **mac...
BeatBanker Android phishing campaign targeting Brazilian users
Campaign
First: 12.03.2026 09:56
Last: 12.03.2026 09:56
Sources 1
About this happening:
A **BeatBanker** Android phishing campaign is targeting **Brazilian users**, creating a risk of device compromise and payment theft. The lure uses **Google Play Store** lookalike...
BeatBanker Android phishing campaign targeting Brazilian users
CampaignAbout this happening: A **BeatBanker** Android phishing campaign is targeting **Brazilian users**, creating a risk of device compromise and payment theft. The lure uses **Google Play Store** lookalike...
BeatBanker Android malware activity
Malware Activity
First: 10.03.2026 23:27
Last: 10.03.2026 23:27
Sources 1
About this happening:
The **BeatBanker** Android malware is actively **hijacking devices** by posing as a **Starlink app**, creating risk of credential theft, illicit mining, and remote device control....
BeatBanker Android malware activity
Malware ActivityAbout this happening: The **BeatBanker** Android malware is actively **hijacking devices** by posing as a **Starlink app**, creating risk of credential theft, illicit mining, and remote device control....
Timeline
-
31.12.2025 18:29 2 articles · 4mo ago
Trust Wallet Chrome extension version 2.68 malicious update
Exploitation ObservedUnknown threat actors pushed Trust Wallet Chrome extension version 2.68 to the browser's extension marketplace on December 24, 2025 after abusing Chrome Web Store access obtained through leaked GitHub secrets and a leaked CWS API key. The trojanized build used the trusted release channel to deliver a backdoor and a domain infrastructure pattern centered on metrics-trustwallet[.]com and api.metrics-trustwallet[.]com, enabling wallet mnemonic theft from extension users.
Show sources
- Trust Wallet Chrome Extension Hack Drains $8.5M via Shai-Hulud Supply Chain Attack — thehackernews.com — 31.12.2025 18:29
- Trust Wallet Chrome Extension Hack Drains $8.5M via Shai-Hulud Supply Chain Attack — thehackernews.com — 31.12.2025 18:29
-
31.12.2025 18:29 1 articles · 4mo ago
Trust Wallet discloses Shai-Hulud compromise and $8.5M loss
Initial DisclosureTrust Wallet disclosed that the second iteration of Shai-Hulud (aka Sha1-Hulud) in November 2025 likely compromised its Google Chrome extension, exposing developer GitHub secrets, the browser extension source code, and the Chrome Web Store API key. The compromise ultimately drained approximately $8.5 million in cryptocurrency assets from 2,520 wallet addresses to at least 17 attacker-controlled addresses, and Trust Wallet said affected users were being routed through a reimbursement claim process while release monitoring and controls were strengthened and users were urged to move to version 2.69.
Show sources
- Trust Wallet Chrome Extension Hack Drains $8.5M via Shai-Hulud Supply Chain Attack — thehackernews.com — 31.12.2025 18:29