Supply chain subversion via trojanized browser extensions and npm packages enables silent runtime data interception

First reported

20.05.2026 13:30

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Between December 2024 and December 2025, threat actors evolved typosquatting into a supply chain attack vector by compromising developer credentials and injecting malicious code into widely used browser extensions and npm packages. Attackers exploited inherited trust in dependency chains by pushing trojanized versions of legitimate packages or extensions through official distribution channels, including the Chrome Web Store. Malicious payloads executed silently at runtime within users' browsers, intercepting sensitive data such as seed phrases, payment card information, and private keys before the legitimate application processed them. No server breaches or user misdirection were required; the compromise originated from within trusted software supply chains. Detection was evaded because existing security controls—firewalls, WAFs, EDR, and CSP—lack visibility into post-execution runtime behavior within the browser. The Trust Wallet Chrome extension incident in December 2025 resulted in $8.5 million stolen from 2,500 wallets within 48 hours. Similar attacks targeted npm packages like chalk/debug and @solana/web3.js, demonstrating scalability and cross-platform impact beyond cryptocurrency ecosystems.

Timeline

20.05.2026 13:30 1 articles · 8h ago

Developer credential harvesting enables trojanized Trust Wallet extension deployment through Chrome Web Store
Between September and December 2025, attackers systematically harvested developer credentials—including GitHub tokens, npm publishing keys, and Chrome Web Store API credentials—likely via phishing and social engineering campaigns. Using the compromised credentials, attackers pushed a trojanized version of the Trust Wallet Chrome extension through the official Chrome Web Store, bypassing verification controls. The malicious extension executed entirely within users' browsers, capturing seed phrases and transmitting them to attacker-controlled domains masquerading as Trust Wallet analytics endpoints. No server-side breach occurred; all compromise vectors operated within the trusted supply chain. The attack remained undetected for 48 hours, during which 2,500 wallets were drained for a total loss of $8.5 million.
Show sources

Typosquatting Is No Longer a User Problem. It's a Supply Chain Problem — thehackernews.com — 20.05.2026 13:30
Open in new tab

Information Snippets

Threat actors compromised developer credentials (GitHub tokens, npm publishing keys, Chrome Web Store API credentials) to push trojanized versions of legitimate software through official channels.
First reported: 20.05.2026 13:30

1 source, 1 article
Show sources
- Typosquatting Is No Longer a User Problem. It's a Supply Chain Problem — thehackernews.com — 20.05.2026 13:30
The Shai-Hulud npm worm harvested credentials over months before deploying a malicious Chrome extension that intercepted seed phrases in the Trust Wallet case.
First reported: 20.05.2026 13:30

1 source, 1 article
Show sources
- Typosquatting Is No Longer a User Problem. It's a Supply Chain Problem — thehackernews.com — 20.05.2026 13:30
Two billion weekly downloads were exposed in the chalk/debug npm compromise after a single maintainer’s account was phished.
First reported: 20.05.2026 13:30

1 source, 1 article
Show sources
- Typosquatting Is No Longer a User Problem. It's a Supply Chain Problem — thehackernews.com — 20.05.2026 13:30
The @solana/web3.js compromise led to a hidden function capturing private keys mid-transaction and exfiltrating them to a recently registered attacker-controlled domain.
First reported: 20.05.2026 13:30

1 source, 1 article
Show sources
- Typosquatting Is No Longer a User Problem. It's a Supply Chain Problem — thehackernews.com — 20.05.2026 13:30
Malicious package uploads to open-source repositories increased 156% year-over-year, outpacing manual vetting capabilities.
First reported: 20.05.2026 13:30

1 source, 1 article
Show sources
- Typosquatting Is No Longer a User Problem. It's a Supply Chain Problem — thehackernews.com — 20.05.2026 13:30
LLMs now generate thousands of visually convincing domain variants in minutes, enabling homograph attacks that evade string-distance detection and complete domain registration and SSL issuance in under ten minutes.
First reported: 20.05.2026 13:30

1 source, 1 article
Show sources
- Typosquatting Is No Longer a User Problem. It's a Supply Chain Problem — thehackernews.com — 20.05.2026 13:30
Existing security controls—firewalls, WAFs, EDR, CSP—have no visibility into post-execution browser runtime behavior, allowing malicious scripts to operate undetected.
First reported: 20.05.2026 13:30

1 source, 1 article
Show sources
- Typosquatting Is No Longer a User Problem. It's a Supply Chain Problem — thehackernews.com — 20.05.2026 13:30
Typical e-commerce checkout pages load 40–60 third-party scripts, each representing a potential supply chain entry point for runtime interception of sensitive user data.
First reported: 20.05.2026 13:30

1 source, 1 article
Show sources
- Typosquatting Is No Longer a User Problem. It's a Supply Chain Problem — thehackernews.com — 20.05.2026 13:30

Summary

Timeline

Developer credential harvesting enables trojanized Trust Wallet extension deployment through Chrome Web Store

Information Snippets