How did the Trust Wallet Chrome extension get compromised?

The Sha1-Hulud npm worm in November 2025 infected developer accounts and stole Trust Wallet's source code and Chrome Web Store API key. Attackers pushed a malicious v2.68 update on December 24, 2025 harvesting private keys for 48 hours and draining $8.5M.

How does an npm worm compromise a Chrome extension?

Chrome extensions often use npm packages in their build pipeline. A malicious npm package can exfiltrate developer credentials or CI tokens, which attackers then use to authenticate directly to the Chrome Web Store API and push a compromised update.

Does Google's extension verification badge protect against supply chain attacks?

No. Trust Wallet had Google's verified badge and 1 million users. The malicious update was published through the legitimate Chrome Web Store API key, so it appeared as a normal update from the trusted developer.

← Back to dashboard

clawsmith.com/signal/npm-supply-chain-compromise-infects-chrome-extensions

⚠ IssueUnderservedbrowser_extensionLive

npm supply chain worms can compromise Chrome extension builds and push malicious updates to millions of users

In December 2025, the Sha1-Hulud npm worm infected developer accounts and gained access to Trust Wallet's source code and Chrome Web Store API key. The attacker pushed a malicious extension update (v2.68) on Christmas Eve that harvested private keys from all logged-in users, draining $8.5 million from 2,520 wallets in 48 hours. Trust Wallet had 1 million users and Google's verification badge. This incident exposed that any extension relying on npm packages for its build pipeline is one compromised dependency away from a full supply chain takeover. A 2025 arxiv paper studying malicious browser extensions found the npm attack surface is systematically underdefended. The previous 2024 Cyberhaven phishing attack (400K users affected) showed a different but related path: phished developer credentials enabling the same malicious update push.

Product Idea from this Signal

A browser extension that audits the npm build chain and gates Chrome Web Store publishes when malicious packages are detected

523 ▲

Chrome extension developers ship npm-sourced builds directly to the Web Store with no integrity check between dependency install and publish, leaving the pipeline wide open to supply chain injection. A $8.5M Trust Wallet theft and dozens of Cyberhaven/VPNCity-style compromises in 2024-2025 prove the gap is real and the blast radius is massive. This tool sits inside the developer's browser, audits every dependency in the build artifact before publish, and hard-blocks the Web Store submission if any package shows signs of malicious modification.

supply chain securitychrome extensionnpm auditdevtoolsweb store publish gateSLSAprovenance

Competitive135 leadsView Opportunity →

Score Breakdown

523

Social Proof 2 sources

Chrome extensions spying on users browsing data (supply chain context)

2/11/2026

520 HN

Chrome extension supply chain attack drained Trust Wallet $8.5M

1/1/2026

Existing Solutions 2 competitors

Socket.devFunded startup. Does not integrate with Chrome Web Store publishing pipeline. No extension-specific protection.

npm package security scanner that detects malicious dependencies and supply chain attacks before they ship.

Snyk Open SourceLarge established company. General purpose, no Chrome extension specific controls.

Developer security platform that scans dependencies for vulnerabilities and malicious packages.

Gap Assessment

UnderservedExisting solutions leave gaps

Socket.dev scans npm packages for malicious code but does not integrate with Chrome Web Store publishing pipelines. No tool specifically monitors the build-to-publish chain for Chrome extensions. Google's own verification badge did not protect Trust Wallet users. An extension-specific supply chain security product does not exist.

Frequently Asked Questions

Virality Score

523

across 0 platforms

Details

Signalissue

Ecosystembrowser_extension

Sources2

Platforms0

Updated1h ago

Trend→ stable

Top ideas

All ideas →

0A CLI tool that wraps stateful MCP servers and externalizes their session state so they run behind standard round-robin load balancers without sticky routing 0A CLI tool that tails and greps logs across multiple remote hosts in a single TUI without centralized infrastructure 0A browser extension that removes Gemini and all Google AI injections from Chrome across Search, Gmail, Docs, and Drive in one toggle

Related signals

All signals →

1.5KTrusted Chrome extensions silently change owners and turn malicious with no user warning 658Malicious AI Chrome Extensions Steal 900K Users ChatGPT and DeepSeek Conversations