North Korea-Linked Hackers Compromise Axios npm Package in Major Supply Chain Attack

A North Korea-linked threat group has successfully hijacked one of the most widely used JavaScript libraries on the internet, injecting malware into millions of potential development environments.

On March 31, 2026, attackers gained access to the Axios Node Package Manager (npm) package using stolen maintainer credentials, turning a trusted tool into a weapon against unsuspecting developers worldwide.

Axios is an HTTP client library that helps developers send web requests from their applications. It is downloaded more than 100,000 times every week, making it a high-value target for any attacker looking to reach a large number of systems quietly and quickly.

By compromising this package, the threat actors positioned themselves to deliver malware silently to anyone who installed or updated the Axios package during the window of compromise.

CrowdStrike Counter Adversary Operations researchers identified this activity and attributed it with moderate confidence to a North Korean threat group tracked as STARDUST CHOLLIMA.

Analysts noted that the attackers deployed updated variants of a malware family called ZshBucket — a tool exclusively tied to STARDUST CHOLLIMA — targeting Linux, macOS, and Windows systems.

While infrastructure overlaps with another North Korean group called FAMOUS CHOLLIMA were observed, the technical sophistication of the ZshBucket variants in this attack pointed more strongly toward STARDUST CHOLLIMA as the primary actor.

The broader impact of this attack is difficult to overstate. STARDUST CHOLLIMA has a well-documented history of targeting cryptocurrency holders and fintech companies through supply chain compromises involving npm and PyPI repositories.

Given that Axios is embedded in countless web applications and developer workflows worldwide, the group’s ability to reach financial targets at scale through a single compromised package is a serious concern.

CrowdStrike assesses that financial gain — specifically currency generation — was the most likely motivation, consistent with the group’s long-standing operational pattern.

Since the end of 2025, STARDUST CHOLLIMA has significantly increased its operational pace, and this incident reflects the group’s intent to scale further.

The exact number of affected users remains unclear, but the sheer size of the Axios package’s weekly download volume signals that this supply chain compromise could have far-reaching consequences across the global software development community.

ZshBucket’s Expanded Command Capabilities

What makes this attack particularly alarming is how much more capable the new version of ZshBucket has become. In previous campaigns, ZshBucket was only able to download and execute files — a relatively straightforward function.

In this incident, the malware received a significant upgrade that gave attackers far greater control over compromised systems.

The updated ZshBucket variants now use a common JSON-based messaging protocol that works consistently across Linux, macOS, and Windows systems. This standardization allows operators to manage all infected machines through one unified communication channel.

The malware connects to a command-and-control server at the domain sfrclak[.]com, hosted at the IP address 142.11.206[.]73.

Operators can inject binary payloads into victim machines, execute arbitrary scripts and commands, enumerate the file system, and remotely terminate the malware implant when needed.

The domain sfrclak[.]com shares identifying server characteristics with two additional IP addresses — 23.254.203[.]244, a known STARDUST CHOLLIMA address active since December 2025, and 23.254.167[.]216, previously used as a C2 server for FAMOUS CHOLLIMA’s InvisibleFerret malware in May 2025. The domain is registered through Hostwinds, consistent with prior STARDUST CHOLLIMA infrastructure patterns.

Developers using the Axios npm package should immediately audit their environments for signs of compromise.

Organizations are advised to verify package integrity before deployment, enable software composition analysis tools within CI/CD pipelines, rotate any credentials linked to npm maintainer accounts, and closely monitor outbound connections for unusual traffic to unknown domains.

Security teams should treat any communication with sfrclak[.]com or its associated IP addresses as a strong indicator of compromise and investigate those systems without delay.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.