Main Takeaway: On March 31, 2026, North Korean hackers compromised Axios, an npm JavaScript library downloaded 83 million times per week, by injecting malware designed to steal crypto assets and credentials. This supply-chain attack affects software wallets, DApps, and exchanges that depend on JavaScript libraries. Air-gapped hardware wallets like ELLIPAL are not exposed to it, since they have no internet connection, no dependency on npm or any package manager, and sign all transactions offline via QR codes. Separately, a $66 million physical Bitcoin robbery in Arizona is a reminder that digital security alone leaves a gap, since anti-tamper hardware is what addresses the physical threat vector.
Quick reference
| Term | What it means |
|---|---|
| Supply-chain attack | An attack that targets a tool used to build software (such as a library), so anything built with that tool inherits the compromise |
| npm | The largest package registry for JavaScript libraries, used by most crypto applications |
| Axios | A widely used JavaScript HTTP-client library, downloaded around 83 million times per week |
| Air-gapped wallet | A hardware wallet with no internet, Bluetooth, USB data, or NFC connection, which communicates only by QR code |
| Anti-tamper | A physical design that is intended to wipe the device's stored data if the casing is forced open |
The Axios attack: what happened and why it matters
At 00:21 UTC on March 31, 2026, a North Korean group, confirmed by Google's Mandiant division, compromised the npm publishing account of Axios, one of the most widely used JavaScript HTTP-client libraries in the world. The attackers published malicious versions (v1.14.1 and v0.30.4) carrying a hidden dependency, "plain-crypto-js," that deployed a cross-platform remote-access trojan. The malicious versions were live for roughly three hours before being detected and removed.
- 83 million+ weekly downloads: Axios is used across a large part of the JavaScript ecosystem.
- Confirmed North Korean attribution, per Google Mandiant's investigation.
- Crypto was the explicit target. The malware was built to steal crypto assets and credentials.
- Broad media coverage from CNN, Benzinga, Reuters, HackerNews, Snyk, and Wiz.
Why this is different from a normal hack
Most crypto attacks target users directly, through phishing, fake sites, or compromised exchanges. The Axios attack poisoned the tools that developers use to build crypto applications.
- A phishing attack tricks you into giving up your keys.
- An exchange hack compromises the platform holding your assets.
- A supply-chain attack compromises the software itself, including the wallet app, the DApp frontend, or the exchange interface.
Any crypto application that auto-updated its Axios dependency during those three hours could have included the malware, often without the user or even the developer knowing. That is why supply-chain attacks are considered one of the most serious categories. They exploit trust in the development toolchain itself.
Which wallets are exposed, and which are not
| Wallet type | Exposed to supply-chain attacks? | Why |
|---|---|---|
| Software / hot wallets | ⚠️ Potentially yes | Built with JavaScript and npm dependencies; a compromised dependency can affect the app |
| Exchange wallets | ⚠️ Potentially yes | Exchange backends use npm libraries; a compromised dependency could affect internal systems |
| Hardware wallets with companion apps | ⚠️ Companion app potentially affected | JavaScript or Electron companion apps can be affected; the device's secure element still protects the keys |
| Air-gapped hardware wallets (ELLIPAL) | ✅ Not exposed | No internet connection, no JavaScript runtime, no npm dependencies; signing happens offline, and QR codes carry only transaction data |
The $66 million physical robbery: when digital security is not enough
On the same weekend, two people drove 600 miles to Scottsdale, Arizona, to physically rob a Bitcoin holder of $66 million. This is a documented "physical coercion" attack per Jameson Lopp's physical-attack database. Days earlier, suspects in the kidnapping of Ledger co-founder David Balland were arrested in Spain. As crypto values rise, physical attacks on holders are a growing concern, and most hardware wallets protect keys from remote hackers but not from someone with physical access to the device.
Air-gapped and anti-tamper: two threat vectors
ELLIPAL's Titan 2.0 is designed to address both digital and physical attack vectors:
- Against digital attacks (such as Axios): air-gapped, with no USB, Bluetooth, Wi-Fi, or NFC, no dependency on npm or any package manager, and signing that happens offline through QR codes that carry only transaction data.
- Against physical attacks: a full-metal sealed casing that is designed to wipe private keys if the enclosure is breached, a CC EAL5+ certified secure element (the grade used in passports and payment cards), and support for multiple accounts, including low-balance accounts.
| Threat | Software wallet | Hardware wallet + companion app | ELLIPAL (air-gapped) |
|---|---|---|---|
| Supply-chain attack | ❌ Exposed | ⚠️ Companion app exposed | ✅ Not exposed (no internet) |
| Phishing or malware | ❌ Exposed | ⚠️ Device safe, app exposed | ✅ Not exposed (no connection) |
| Physical tampering | ❌ Phone can be taken | ⚠️ Most models lack anti-tamper | ✅ Designed to wipe keys on breach |
How to protect yourself: a practical framework
- Move core holdings to air-gapped cold storage. This closes the supply-chain and remote-attack vectors.
- Use a hot wallet only for daily transactions. Keep a minimal balance.
- Choose hardware with anti-tamper protection. If a device can be opened without wiping the keys, it is not physically secure.
- Do not advertise your holdings.
- Use a metal seed backup stored separately. Your backup is your route back if anything happens to the device.
- If you use software wallets, monitor updates for suspicious packages.
FAQ
Can a supply-chain attack steal crypto from a hardware wallet?
It depends on the architecture. Hardware wallets with JavaScript companion apps could have compromised companion software, although the device's secure element should still protect the keys. Air-gapped wallets like ELLIPAL have no software dependencies and no companion app that connects to the device, so they are not exposed to this attack class.
Is ELLIPAL affected by the Axios hack?
No. ELLIPAL's air-gapped architecture means the device has no internet connection and runs no JavaScript. The Axios issue only affects applications that include the compromised npm package. ELLIPAL's signing happens offline via QR codes.
How does ELLIPAL's anti-tamper design work?
The Titan 2.0 has a full-metal sealed casing. If the enclosure is physically breached, the device is designed to wipe the stored private keys, so a physical attacker cannot extract them from the hardware.
Own it. Then use it.
Security note: No self-custody setup removes every risk. Air-gapped architecture closes remote and supply-chain attack paths but does not eliminate all physical, firmware, social-engineering, or user-error risks. Buy from an official source, store your recovery phrase on a durable offline backup kept separately, and do not share or digitally enter it. This is general educational information, not financial, investment, or custodial advice.