NPM Packages Were Compromised: What Does It Mean for Coin Wallet Users?

Mila Mostovaya

Crypto Hacks Security
NPM Packages Were Compromised: What Does It Mean for Coin Wallet Users?

On September 8, 2025, Aikido, a security platform, reported that a series of packages had been pushed to NPM that appeared to contain malicious code. These 18 packages are very popular, with more than 2 billion downloads per week:

  • backslash (0.26m downloads per week)
  • chalk-template (3.9m downloads per week)
  • supports-hyperlinks (19.2m downloads per week)
  • has-ansi (12.1m downloads per week)
  • simple-swizzle (26.26m downloads per week)
  • color-string (27.48m downloads per week)
  • error-ex (47.17m downloads per week)
  • color-name (191.71m downloads per week)
  • is-arrayish (73.8m downloads per week)
  • slice-ansi (59.8m downloads per week)
  • color-convert (193.5m downloads per week)
  • wrap-ansi (197.99m downloads per week)
  • ansi-regex (243.64m downloads per week)
  • supports-color (287.1m downloads per week)
  • strip-ansi (261.17m downloads per week)
  • chalk (299.99m downloads per week)
  • debug (357.6m downloads per week)
  • ansi-styles (371.41m downloads per week)

As a result, only about $970 was stolen because developers noticed the hack in time. While that’s not a large amount of money, there’s another important point: Aikido specialists called this campaign particularly dangerous because it “operates on multiple levels.” These actions include simultaneous interference with websites, API calls, and user applications.

What Happened?

John Junon, a developer, received a phishing email that looked like it came from the support service at npmjs.help, asking him to update his two-factor authentication.

He wrote:

"Looked legitimate at first glance. Not making excuses, just had a long week and a panicky morning and was just trying to knock something off my list of to-dos. Made the mistake of clicking the link instead of going directly to the site like I normally would (since I was mobile)."

After gaining access to the system, attackers began replacing and publishing new versions of packages with malicious code.

This was a supply chain attack. Since NPM automatically pulls in packages and their dependencies, if an attacker injects malicious code into one of the “small” dependencies, it automatically spreads into thousands of projects.

The code was implemented in the browser: it intercepted Web3 and cryptocurrency calls, redirecting transactions under the attackers’ control.

Within about two hours, developers discovered the problem and removed the malicious versions. The response was quick.

If you want to see the code examples, check Aikido’s explanation.

However, this incident also shows that wallets using NPM might be vulnerable — including Coin Wallet.

What Does the Hack Mean for Coin Wallet Users?

Yes, Coin Wallet uses NPM, which means it could potentially pull in infected packages. But during the attack (when malicious versions of chalk, debug, etc. were published), we did not recompile the application or release new versions.

As a result, Coin Wallet did not receive infected versions of dependencies.

The currently released versions of the mobile application and web wallet remain reliable and safe.

👉 Conclusion: Coin Wallet users were not at risk from the NPM hack, as the vulnerable code simply never made it into the build.

Keep calm and don’t panic, guys!