Skip to content
.ca
sign in
5 mincritical

STARDUST CHOLLIMA Likely Compromises Axios npm Package

A DPRK-nexus threat actor, likely STARDUST CHOLLIMA, compromised the widely used Axios npm package using stolen maintainer credentials. The supply chain attack deployed updated, cross-platform variants of the ZshBucket malware capable of arbitrary command execution, payload injection, and file system enumeration, likely targeting the cryptocurrency and fintech sectors for financial gain.

Sens:ImmediateConf:highAnalyzed:2026-04-02reports

Authors: CrowdStrike Counter Adversary Operations, CrowdStrike Intelligence

ActorsSTARDUST CHOLLIMAFAMOUS CHOLLIMAZshBucketInvisibleFerret
ZshBucketAxiosDPRKnpmSupply Chain

Source:CrowdStrike

IOCs · 1
  • domain
    sfrclak[[.]]comCommand-and-control (C2) address used by the updated ZshBucket malware.

Key Takeaways

  • A threat actor used stolen maintainer credentials to compromise the widely used Axios npm package.
  • The attack deployed updated, platform-specific variants of the ZshBucket malware targeting Linux, macOS, and Windows.
  • ZshBucket was upgraded with a JSON-based messaging protocol and capabilities to inject binary payloads, execute arbitrary scripts, and enumerate file systems.
  • The activity is attributed with moderate confidence to the DPRK-nexus actor STARDUST CHOLLIMA, with infrastructure overlaps to FAMOUS CHOLLIMA.
  • The campaign likely targets cryptocurrency holders and fintech companies for currency generation.

Affected Systems

  • Linux
  • macOS
  • Windows
  • Node.js environments utilizing the Axios npm package

Attack Chain

The threat actor obtained stolen maintainer credentials to access and modify the Axios npm package repository. Upon installation of the compromised package, platform-specific variants of the ZshBucket malware are deployed to the victim's Linux, macOS, or Windows system. The malware profiles the host operating system and user, sending this telemetry to a C2 server via a JSON-based messaging protocol. The remote operator can then issue commands to enumerate the file system, execute arbitrary scripts, or inject secondary binary payloads into the system.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries were provided in the article.

Detection Engineering Assessment

EDR Visibility: High — EDR sensors are well-positioned to detect post-exploitation activities such as Node.js processes spawning unusual child shells, arbitrary script execution, and process injection behaviors. Network Visibility: Medium — While the C2 communication uses a JSON-based protocol that may blend with legitimate web traffic, connections to the specific malicious IPs and domains can be reliably detected. Detection Difficulty: Moderate — The initial infection vector relies on a highly trusted and widely used package (Axios), making initial prevention difficult. However, the subsequent profiling, script execution, and injection behaviors are distinct and detectable.

Required Log Sources

  • Process Creation (Event ID 4688 / Sysmon 1)
  • Network Connections (Sysmon 3)
  • File Creation (Sysmon 11)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for Node.js or npm processes spawning unexpected child shells (e.g., bash, zsh, cmd, powershell) that execute system profiling or file enumeration commands.Process Creation logs (EDR/Sysmon)Execution / DiscoveryMedium
Monitor for unexpected outbound network connections from Node.js environments to unrecognized external IP addresses, particularly those hosted on Hostwinds.Network Connection logsCommand and ControlHigh
Identify instances of process injection originating from Node.js or related package manager processes.EDR Behavioral Alerts / API MonitoringDefense Evasion / ExecutionLow

Control Gaps

  • Implicit trust in popular open-source packages without integrity verification
  • Lack of mandatory MFA for critical npm package maintainers

Key Behavioral Indicators

  • Anomalous child processes spawned by Node.js
  • JSON-formatted C2 beacons originating from development environments
  • Cross-platform profiling scripts executing post-npm install

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Audit all projects and CI/CD pipelines for recent installations or updates of the Axios npm package.
  • Block network communication to the identified C2 domain (sfrclak[.]com) and associated IP addresses.

Infrastructure Hardening

  • Implement strict egress network filtering for build servers, CI/CD pipelines, and production Node.js environments.
  • Pin npm dependencies to known safe versions and utilize lockfiles to prevent automatic updates to compromised versions.

User Protection

  • Monitor developer workstations for anomalous Node.js process behavior, particularly unexpected shell execution or process injection.

Security Awareness

  • Educate development teams on the risks of supply chain attacks and the importance of verifying package integrity.
  • Ensure all internal code repositories and package management accounts enforce Multi-Factor Authentication (MFA).

MITRE ATT&CK Mapping

  • T1078 - Valid Accounts
  • T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
  • T1082 - System Information Discovery
  • T1059 - Command and Scripting Interpreter
  • T1083 - File and Directory Discovery
  • T1055 - Process Injection
  • T1071.001 - Application Layer Protocol: Web Protocols

Additional IOCs

  • Other:
    • c373706b3456c36e8baa0a3ee5aed358c1fe07cba04f65790c90f029971e378a - Host services banner hash shared across multiple STARDUST CHOLLIMA and FAMOUS CHOLLIMA IP addresses.

Related