STARDUST CHOLLIMA Likely Compromises Axios npm Package

On March 31, 2026, a supply‑chain compromise of the Axios npm package using stolen maintainer credentials resulted in deployment of updated cross‑platform ZshBucket implants. CrowdStrike attributes the activity with moderate confidence to STARDUST CHOLLIMA based on malware code reuse and overlapping infrastructure (notably domain sfrclak.com and associated IPs), and notes enhanced JSON-based messaging and expanded remote‑control commands enabling binary injection, arbitrary execution, filesystem enumeration, and data collection; the incident highlights a scalable APT supply‑chain operation targeting widely used developer ecosystems.