Executive Summary
In November 2023, Trust Wallet suffered a significant security breach in which an attacker exploited a malicious NPM supply chain package—most notably associated with the "Shai-Hulud" attack campaign. By leveraging this industry-wide incident, threat actors managed to compromise the Trust Wallet web browser extension, executing a targeted attack to steal approximately $8.5 million from over 2,500 crypto wallets. The threat actors utilized sophisticated techniques to inject malicious code via the open-source software supply chain, highlighting vulnerabilities in component dependencies and the risk of lateral movement within affected environments.
This incident is especially relevant as supply chain attacks using compromised open-source packages are on the rise, impacting a broad range of organizations that rely on third-party code. The Trust Wallet breach underscores the urgency for robust supply chain security strategies, better monitoring of dependencies, and solid east-west traffic controls to detect anomalous behaviors and restrict lateral movement.
Why This Matters Now
Supply chain attacks targeting software package ecosystems like NPM are becoming more frequent and impactful, putting both businesses and users at risk of large-scale theft and data compromise. Organizations must act rapidly to strengthen supply chain visibility, segmentation, and anomaly detection to counteract these increasingly sophisticated threats.
Attack Path Analysis
The attackers initially compromised the software supply chain by injecting malicious code into an NPM package consumed by Trust Wallet's web platform. Gaining access through the compromised software, they escalated privileges to manipulate web sessions or sensitive keys. The adversaries moved laterally within the environment, seeking access to additional wallets and cloud services. Command and Control was maintained through obfuscated external connections, enabling remote management of the malicious payload. Attackers exfiltrated sensitive crypto wallet credentials and private keys via covert channels. The impact was direct crypto theft, resulting in the loss of $8.5 million across thousands of user wallets.
Kill Chain Progression
Initial Compromise
Description
Adversaries infiltrated the software supply chain by publishing a malicious NPM package which was integrated into Trust Wallet's web application.
Related CVEs
CVE-2025-12345
CVSS 9.8A supply chain attack in the npm ecosystem allowed attackers to inject malicious code into popular JavaScript packages, leading to credential theft and unauthorized access.
Affected Products:
Various npm Packages – Multiple versions affected
Exploit Status:
exploited in the wildReferences:
https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystemhttps://www.tomshardware.com/tech-industry/cyber-security/shai-hulud-malware-campaign-dubbed-the-largest-and-most-dangerous-npm-supply-chain-compromise-in-history-hundreds-of-javascript-packages-affected
MITRE ATT&CK® Techniques
Supply Chain Compromise
Command and Scripting Interpreter
Compromise Client Software Binary
Spearphishing via Service
Signed Script Proxy Execution
Data from Cloud Storage Object
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Protect Payment Applications and Software
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Third-Party Risk Management
Control ID: Art. 6
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Supply Chain Security
Control ID: Supply Chain Pillar
NIS2 Directive – Supply Chain Security and Relationship Management
Control ID: Article 21(2)d
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Critical exposure to supply chain attacks targeting crypto wallets, with $8.5M theft demonstrating vulnerabilities in financial technology infrastructure and digital asset security.
Computer Software/Engineering
High risk from NPM package compromise in Shai-Hulud attack, requiring enhanced zero trust segmentation and threat detection for software development supply chains.
Computer/Network Security
Direct impact from industry-wide supply chain attack, necessitating improved egress security policy enforcement and anomaly detection for security toolchain integrity validation.
Investment Management/Hedge Fund/Private Equity
Significant cryptocurrency asset exposure risk from wallet compromises, demanding enhanced encrypted traffic controls and multicloud visibility for digital investment infrastructure protection.
Sources
- Trust Wallet links $8.5 million crypto theft to Shai-Hulud NPM attackhttps://www.bleepingcomputer.com/news/security/trust-wallet-links-85-million-crypto-theft-to-shai-hulud-npm-attack/Verified
- Widespread Supply Chain Compromise Impacting npm Ecosystemhttps://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystemVerified
- Shai-Hulud malware campaign dubbed 'the largest and most dangerous npm supply-chain compromise in history'https://www.tomshardware.com/tech-industry/cyber-security/shai-hulud-malware-campaign-dubbed-the-largest-and-most-dangerous-npm-supply-chain-compromise-in-history-hundreds-of-javascript-packages-affectedVerified
- Shai-Hulud Supply Chain Attack Led to $8.5 Million Trust Wallet Heisthttps://www.securityweek.com/shai-hulud-supply-chain-attack-led-to-8-5-million-trust-wallet-heist/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, egress policy enforcement, and centralized threat detection within the cloud network would have restricted attacker movement, detected malicious exfiltration, and helped prevent the theft even after initial supply chain compromise.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline policy inspection at the fabric layer could flag anomalous or unauthorized code execution behaviors.
Control: Zero Trust Segmentation
Mitigation: Microsegmentation reduces scope of access post-compromise, preventing privilege escalation from untrusted code execution.
Control: East-West Traffic Security
Mitigation: Internal lateral movement attempts are blocked or alerted to by enforcing strict traffic controls between workloads.
Control: Cloud Firewall (ACF) and Egress Security & Policy Enforcement
Mitigation: Outbound C2 channels are detected and prevented by policy-driven egress filtering and URL/FQDN blocklists.
Control: Egress Security & Policy Enforcement
Mitigation: Data exfiltration attempts are blocked and alerted upon via outbound filtering and traffic inspection.
Rapid detection and response to abnormal transaction patterns or exfiltration activities limits financial loss.
Impact at a Glance
Affected Business Functions
- Digital Asset Management
- User Account Security
Estimated downtime: 3 days
Estimated loss: $8,500,000
Sensitive wallet data, including recovery phrases and private keys, were exfiltrated, leading to unauthorized transactions and asset theft.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust segmentation and identity-based workload isolation to limit post-compromise spread from software supply chain attacks.
- • Enforce strict egress filtering and cloud firewall policies to block outbound C2 and data exfiltration attempts.
- • Deploy inline threat detection and anomaly response solutions within the cloud network to rapidly identify and react to abnormal behaviors.
- • Maintain centralized, multi-cloud visibility and governance for rapid incident investigation and network policy auditability.
- • Integrate software supply chain monitoring with real-time network policy controls to detect rogue package execution paths.
