BLOG Featured Recent Video Category Start Free Trial STARDUST CHOLLIMA Likely Compromises Axios npm Package April 01, 2026 | Counter Adversary Operations | Threat Hunting & Intel On March 31, 2026, a threat actor used stolen maintainer credentials to compromise the widely used HTTP client library Axios Node Package Manager (npm) package and deploy platform-specific ZshBucket variants. CrowdStrike Counter Adversary Operations attributes this activity to STARDUST CHOLLIMA with moderate confidence based on the adversary’s deployment of updated variants of ZshBucket (malware uniquely attributed to STARDUST CHOLLIMA) and overlaps with known STARDUST CHOLLIMA infrastructure. ZshBucket can be used to target Linux, macOS, and Windows systems; previously, only macOS variants of ZshBucket had been observed. The observed macOS variant in this case extensively reuses code from previous instances, including function names. All variants retain characteristics of previous instances, including how it profiles the user and host of the operating system, and how it sends the collected information. The adversary made the following significant updates to the functionality and messaging protocol in the ZshBucket instance deployed in this incident compared to previous variants: Implemented a common JSON-based messaging protocol for all platform-specific instances Implemented commands that enable the operator to inject binary payloads, execute arbitrary scripts and commands, enumerate the file system, and remotely terminate the implant; these commands replace previous instances’ simple download and execute functionality Related Infrastructure The domain sfrclak[.]com — hosted at 142.11.206[.]73 and later used as a command-and-control (C2) address — shares a host services banner hash (c373706b3456c36e8baa0a3ee5aed358c1fe07cba04f65790c90f029971e378a) with two additional IP addresses: 23.254.203[.]244 and 23.254.167.216. The IP address 23.254.203[.]244 is a known STARDUST CHOLLIMA IP address first observed in December 2025, and 23.254.167[.]216 was previously used as a C2 server for FAMOUS CHOLLIMA’s InvisibleFerret malware in May 2025. The domain is also registered on the Hostwinds hosting provider, consistent with STARDUST CHOLLIMA’s previously observed operations. Assessment CrowdStrike Intelligence attributes this activity to STARDUST CHOLLIMA with moderate confidence based on the use of an updated ZshBucket instance — malware uniquely attributed to STARDUST CHOLLIMA — as well as infrastructure overlaps with STARDUST CHOLLIMA’s previous operations. However, the infrastructure also overlaps with FAMOUS CHOLLIMA operations, precluding a higher confidence assessment. DPRK-nexus adversaries frequently share infrastructure, and FAMOUS CHOLLIMA has historically deployed DPRK-associated tooling and has extensively abused npm repositories in their operations. As such, FAMOUS CHOLLIMA could be responsible for this incident. However, the updated ZshBucket variants deployed in this supply chain compromise are more technically advanced than the malware FAMOUS CHOLLIMA typically uses, and this incident is more likely attributable to STARDUST CHOLLIMA. The intended targets of this compromise are unclear. The Axios npm package is a commonly used HTTP client library that is downloaded more than 100,000 times per week. STARDUST CHOLLIMA’s operations prioritize currency generation and regularly target cryptocurrency holders, and the adversary has also conducted widespread supply chain compromises impacting fintech companies’ npm and PyPi repositories. Based on these factors, CrowdStrike Counter Adversary Operations assesses the adversary’s motivation probably aligns with this currency generation objective. Since the end of Q4 2025, STARDUST CHOLLIMA’s operational tempo has surged and has continued at this pace. This supply chain attack leveraging updated ZshBucket variants is further evidence that the adversary intends to scale their operations in the near term. Additional Resources Dive deeper into topics like this at Fal.Con 2026 with expert-led sessions, hands-on training, and real-world insights. Read the CrowdStrike 2026 Global Threat Report for the latest insights on adversaries, tradecraft, and activity. Visit the Counter Adversary Operations webpage to learn about CrowdStrike’s threat intelligence and hunting solutions. Tweet Share CrowdStrike 2026 Global Threat Report AI threats have reached a critical turning point. Access the definitive look at the cyber threat landscape. Download report Related Content Tycoon2FA Phishing-as-a-Service Platform Persists Following Takedown CrowdStrike 2026 Global Threat Report: The Evasive Adversary Wields AI The Art of Deception: How Threat Actors Master Typosquatting Campaigns to Bypass Detection CATEGORIES Agentic SOC 50 Cloud & Application Security 140 Data Protection 22 Endpoint Security & XDR 352 Engineering & Tech 86 Executive Viewpoint 177 Exposure Management 116 From The Front Lines 202 Next-Gen Identity Security 68 Next-Gen SIEM & Log Management 113 Public Sector 42 Securing AI 27 Threat Hunting & Intel 212 CONNECT WITH US FEATURED ARTICLES October 01, 2024 CrowdStrike Named a Leader in 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms September 25, 2024 Recognizing the Resilience of the CrowdStrike Community September 25, 2024 CrowdStrike Drives Cybersecurity Forward with New Innovations Spanning AI, Cloud, Next-Gen SIEM and Identity Protection September 18, 2024 SUBSCRIBE Sign up now to receive the latest notifications and updates from CrowdStrike. Sign Up See CrowdStrike Falcon® in Action Detect, prevent, and respond to attacks— even malware-free intrusions—at any stage, with next-generation endpoint protection. See Demo Tycoon2FA Phishing-as-a-Service Platform Persists Following Takedown Copyright © 2026 CrowdStrike Privacy Request Info Blog Contact Us 1.888.512.8906 Accessibility ABOUT COOKIES ON THIS SITE By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. Cookies Settings Reject All Accept All Cookies