Trust Wallet lost $8.5 million to hackers who exploited the Shai-Hulud supply chain attack that hit NPM in November. The attackers used leaked developer credentials to publish a malicious version of Trust Wallet's Chrome extension on December 24.
The fake extension targeted 2,520 wallet addresses, draining funds from users who logged in between December 24-26. Trust Wallet will reimburse all affected customers and urges users to update to version 2.69 immediately.
Shai-Hulud is a self-replicating worm that infected over 640 NPM packages, creating 25,000 data-leaking repositories. Despite cleanup efforts, over 12,000 machines remain compromised with exposed credentials still circulating.
Source: Security Week