STARDUST CHOLLIMA Likely Compromises Axios npm Package

BLOG Featured Recent Video Category Start Free Trial STARDUST CHOLLIMA Likely Compromises Axios npm Package April 01, 2026 | Counter Adversary Operations | Threat Hunting & Intel On March 31, 2026, a threat actor used stolen maintainer credentials to compromise the widely used HTTP client library Axios Node Package Manager (npm) package and deploy platform-specific ZshBucket variants. CrowdStrike Counter Adversary Operations attributes this activity to STARDUST CHOLLIMA with moderate confidence based on the adversary’s deployment of updated variants of ZshBucket (malware uniquely attributed to STARDUST CHOLLIMA) and overlaps with known STARDUST CHOLLIMA infrastructure.  ZshBucket can be used to target Linux, macOS, and Windows systems; previously, only macOS variants of ZshBucket had been observed. The observed macOS variant in this case extensively reuses code from previous instances, including function names. All variants retain characteristics of previous instances, including how it profiles the user and host of the operating system, and how it sends the collected information. The adversary made the following significant updates to the functionality and messaging protocol in the ZshBucket instance deployed in this incident compared to previous variants: Implemented a common JSON-based messaging protocol for all platform-specific instances Implemented commands that enable the operator to inject binary payloads, execute arbitrary scripts and commands, enumerate the file system, and remotely terminate the implant; these commands replace previous instances’ simple download and execute functionality Related Infrastructure The domain sfrclak[.]com — hosted at 142.11.206[.]73 and later used as a command-and-control (C2) address — shares a host services banner hash (c373706b3456c36e8baa0a3ee5aed358c1fe07cba04f65790c90f029971e378a) with two additional IP addresses: 23.254.203[.]244 and 23.254.167.216. The IP address 23.254.203[.]244 is a known STARDUST CHOLLIMA IP address first observed in December 2025, and 23.254.167[.]216 was previously used as a C2 server for FAMOUS CHOLLIMA’s InvisibleFerret malware in May 2025. The domain is also registered on the Hostwinds hosting provider, consistent with STARDUST CHOLLIMA’s previously observed operations. Assessment CrowdStrike Intelligence attributes this activity to STARDUST CHOLLIMA with moderate confidence based on the use of an updated ZshBucket instance — malware uniquely attributed to STARDUST CHOLLIMA — as well as infrastructure overlaps with STARDUST CHOLLIMA’s previous operations. However, the infrastructure also overlaps with FAMOUS CHOLLIMA operations, precluding a higher confidence assessment.  DPRK-nexus adversaries frequently share infrastructure, and FAMOUS CHOLLIMA has historically deployed DPRK-associated tooling and has extensively abused npm repositories in their operations. As such, FAMOUS CHOLLIMA could be responsible for this incident. However, the updated ZshBucket variants deployed in this supply chain compromise are more technically advanced than the malware FAMOUS CHOLLIMA typically uses, and this incident is more likely attributable to STARDUST CHOLLIMA.  The intended targets of this compromise are unclear. The Axios npm package is a commonly used HTTP client library that is downloaded more than 100,000 times per week. STARDUST CHOLLIMA’s operations prioritize currency generation and regularly target cryptocurrency holders, and the adversary has also conducted widespread supply chain compromises impacting fintech companies’ npm and PyPi repositories. Based on these factors, CrowdStrike Counter Adversary Operations assesses the adversary’s motivation probably aligns with this currency generation objective.  Since the end of Q4 2025, STARDUST CHOLLIMA’s operational tempo has surged and has continued at this pace. This supply chain attack leveraging updated ZshBucket variants is further evidence that the adversary intends to scale their operations in the near term. Additional Resources Dive deeper into topics like this at Fal.Con 2026 with expert-led sessions, hands-on training, and real-world insights. Read the CrowdStrike 2026 Global Threat Report for the latest insights on adversaries, tradecraft, and activity. Visit the Counter Adversary Operations webpage to learn about CrowdStrike’s threat intelligence and hunting solutions. Tweet Share CrowdStrike 2026 Global Threat Report AI threats have reached a critical turning point. Access the definitive look at the cyber threat landscape. Download report Related Content Tycoon2FA Phishing-as-a-Service Platform Persists Following Takedown CrowdStrike 2026 Global Threat Report: The Evasive Adversary Wields AI The Art of Deception: How Threat Actors Master Typosquatting Campaigns to Bypass Detection CATEGORIES Agentic SOC 50 Cloud & Application Security 140 Data Protection 22 Endpoint Security & XDR 352 Engineering & Tech 86 Executive Viewpoint 177 Exposure Management 116 From The Front Lines 202 Next-Gen Identity Security 68 Next-Gen SIEM & Log Management 113 Public Sector 42 Securing AI 27 Threat Hunting & Intel 212 CONNECT WITH US FEATURED ARTICLES October 01, 2024 CrowdStrike Named a Leader in 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms September 25, 2024 Recognizing the Resilience of the CrowdStrike Community September 25, 2024 CrowdStrike Drives Cybersecurity Forward with New Innovations Spanning AI, Cloud, Next-Gen SIEM and Identity Protection September 18, 2024 SUBSCRIBE Sign up now to receive the latest notifications and updates from CrowdStrike. Sign Up Tycoon2FA Phishing-as-a-Service Platform Persists Following Takedown Copyright © 2026 CrowdStrike Privacy Request Info Blog Contact Us 1.888.512.8906 Accessibility Privacy Preference Center Privacy Preference Center Your Privacy Strictly Necessary Cookies Performance Cookies Functional Cookies Targeting Cookies Your Privacy When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information Strictly Necessary Cookies Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They may be set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies may process limited personal information, such as technical or device identifiers, where necessary to ensure the security, functionality, and integrity of the website or web portal. Such processing is strictly limited to what is required for these purposes and is not used for advertising or marketing. Cookies Details Performance Cookies Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore does not identify you. If you do not allow these cookies, your visit to our website will not be included in our analytics, and our ability to monitor website performance and make improvements will be reduced. Cookies Details Functional Cookies Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Cookies Details Targeting Cookies Targeting Cookies These cookies may be set on our site by our advertising partners. They assign a unique identifier to your browser or device and may track your activity across sites to build a profile of your interests and show you relevant adverts on other sites. If you do not allow these cookies, you will still see ads, but they may be less relevant to you. Cookies Details Cookie List Consent Leg.Interest checkbox label label checkbox label label checkbox label label Clear checkbox label label Apply Cancel Confirm My Choices Allow All