A sophisticated supply chain attack has compromised the widely used Axios npm package, potentially exposing millions of developer environments to malware. North Korea-linked hackers allegedly gained access to the JavaScript library using stolen maintainer credentials on March 31, 2026, turning a critical development tool into a vector for malicious activity. This incident highlights the growing threat of supply chain attacks and the sophisticated methods employed by state-sponsored actors.
Axios, an essential HTTP client for JavaScript applications, experiences over 100,000 weekly downloads, making its compromise a significant concern for global software development. CrowdStrike Counter Adversary Operations researchers attributed the attack with moderate confidence to a North Korean threat group identified as STARDUST CHOLLIMA. The attackers reportedly deployed updated variants of the ZshBucket malware, exclusively linked to STARDUST CHOLLIMA, targeting Linux, macOS, and Windows systems.
While some infrastructure overlaps were observed with another North Korean group, FAMOUS CHOLLIMA, the advanced capabilities of the ZshBucket variants in this operation lean more heavily towards STARDUST CHOLLIMA’s involvement. This group has a previous history of targeting cryptocurrency holders and financial technology firms through similar supply chain compromises. The potential for widespread financial impact and further scaling of operations by STARDUST CHOLLIMA is a primary concern for cybersecurity professionals.
The exact number of developers and systems affected remains under investigation. However, given Axios’s ubiquitous presence in web applications and development workflows, the implications of this supply chain compromise are substantial. The attackers’ ability to reach a vast number of potential financial targets through a single compromised package represents a serious escalation in their operational tactics.
CrowdStrike analysts suggest that financial gain, particularly cryptocurrency generation, is the most probable motivation behind this attack, aligning with STARDUST CHOLLIMA’s established modus operandi. The group has reportedly increased its operational tempo since late 2025, indicating a strategic push for expanded reach and impact.
ZshBucket’s Expanded Command Capabilities in Latest Attack
A key aspect of this incident is the significant enhancement of the ZshBucket malware. Previous iterations of ZshBucket were primarily limited to downloading and executing files. However, the recently discovered variants have been upgraded with more advanced command and control features, granting attackers extensive control over compromised systems.
The updated ZshBucket malware now utilizes a standardized JSON-based messaging protocol, ensuring consistent functionality across Linux, macOS, and Windows operating systems. This unification allows the threat actors to manage all infected machines through a single, coherent communication channel. The malware establishes connections to a command-and-control server located at the domain sfrclak[.]com, which is hosted on the IP address 142.11.206[.]73. Investigations into the command and control infrastructure reveal deeper connections to established North Korean cyber operations.
Further analysis of the C2 infrastructure shows that the domain sfrclak[.]com shares server characteristics with two other IP addresses. One is 23.254.203[.]244, identified as a known STARDUST CHOLLIMA address active since December 2025. The other is 23.254.167[.]216, which was previously used as a C2 server for FAMOUS CHOLLIMA’s InvisibleFerret malware in May 2025. The domain registration through Hostwinds also aligns with observed patterns in prior STARDUST CHOLLIMA infrastructure.
Developers who have used the Axios npm package are strongly advised to conduct immediate audits of their development environments for any signs of compromise. Organizations should implement rigorous verification of package integrity before deploying software, integrate software composition analysis tools into their CI/CD pipelines, and promptly rotate credentials associated with npm maintainer accounts. Continuous monitoring of outbound network traffic for unusual connections to unknown domains is also crucial.
Security teams should consider any communication with sfrclak[.]com or its associated IP addresses as a definitive indicator of compromise, prompting immediate and thorough investigation of the affected systems. The ongoing analysis aims to fully understand the scope of the impact and identify all compromised systems.