Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Bans Apps Used to Remotely Disable E-Rickshaws
July 3, 2026
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Home/Threats/North Korean Hackers Compromise Axios npm Package in Supply Chain Attack
Threats

North Korean Hackers Compromise Axios npm Package in Supply Chain Attack

Key Takeaways A North Korean state-sponsored hacking group, STARDUST CHOLLIMA, compromised the widely used Axios npm package. The attackers injected updated variants of the ZshBucket malware, capable...

Emy Elsamnoudy
Emy Elsamnoudy
April 3, 2026 3 Min Read
66 0

Key Takeaways

  • A North Korean state-sponsored hacking group, STARDUST CHOLLIMA, compromised the widely used Axios npm package.
  • The attackers injected updated variants of the ZshBucket malware, capable of advanced remote control, into the package.
  • The attack, which occurred on March 31, 2026, targeted developers across Linux, macOS, and Windows environments using stolen maintainer credentials.
  • The primary motivation is assessed to be financial gain, specifically cryptocurrency generation, consistent with the group’s historical patterns.

North Korean Hackers Exploit Axios npm Package in Sophisticated Supply Chain Operation

A North Korea-linked advanced persistent threat (APT) group has executed a significant supply chain attack, injecting malicious code into the Axios Node Package Manager (npm) package, a JavaScript library used by millions of developers globally. This compromise weaponized a trusted development tool, potentially exposing countless development environments to malware. The details of this incident were unveiled in a recent report by CrowdStrike.

Table Of Content

  • Key Takeaways
  • North Korean Hackers Exploit Axios npm Package in Sophisticated Supply Chain Operation
  • Attribution to STARDUST CHOLLIMA
  • ZshBucket’s Expanded Command Capabilities
  • What You Should Do

The attackers gained unauthorized access to the Axios npm package on March 31, 2026, leveraging stolen maintainer credentials. Axios, an HTTP client library crucial for web requests, sees over 100,000 weekly downloads, making it an attractive target for threat actors aiming for broad, stealthy system infiltration.

By compromising this popular package, the threat actors were positioned to silently deliver malware to any developer who installed or updated Axios during the period of compromise.

Attribution to STARDUST CHOLLIMA

Researchers from CrowdStrike’s Counter Adversary Operations identified and attributed this activity with moderate confidence to STARDUST CHOLLIMA, a North Korean threat group. The analysts observed the deployment of enhanced variants of ZshBucket, a malware family exclusively associated with STARDUST CHOLLIMA, targeting Linux, macOS, and Windows operating systems.

While some infrastructural overlaps were noted with FAMOUS CHOLLIMA, another North Korean group, the advanced technical capabilities of the ZshBucket variants strongly indicated STARDUST CHOLLIMA as the primary perpetrator.

The broader implications of this attack are substantial. STARDUST CHOLLIMA has a documented history of targeting cryptocurrency holders and fintech organizations through supply chain compromises involving npm and PyPI repositories. Given Axios’s pervasive integration into web applications and developer workflows worldwide, the group’s ability to reach financial targets at scale via a single compromised package presents a severe concern.

CrowdStrike assesses that the primary motivation behind this operation was financial gain, specifically currency generation, which aligns with STARDUST CHOLLIMA’s established operational patterns. Since late 2025, the group has escalated its operational tempo, and this incident underscores its ambition for expanded reach.

The exact number of affected users remains undetermined, but the immense weekly download volume of the Axios package suggests that this supply chain compromise could have widespread repercussions across the global software development community.

ZshBucket’s Expanded Command Capabilities

A particularly alarming aspect of this attack is the significant enhancement of the ZshBucket malware. Previous iterations of ZshBucket were largely confined to downloading and executing files. However, the variants deployed in this incident feature substantial upgrades, granting attackers far more extensive control over compromised systems.

The updated ZshBucket variants now employ a standardized JSON-based messaging protocol, ensuring consistent functionality across Linux, macOS, and Windows environments. This uniformity allows operators to manage all infected machines through a single, unified communication channel.

The malware establishes connections to a command-and-control (C2) server located at the domain sfrclak[.]com, hosted at the IP address 142.11.206[.]73. Through this C2 infrastructure, operators can inject binary payloads, execute arbitrary scripts and commands, enumerate file systems, and remotely terminate the malware implant as required. Furthermore, the C2 infrastructure exhibits deeper connections to North Korean cyber operations.

The domain sfrclak[.]com shares identifying server characteristics with two other IP addresses: 23.254.203[.]244, an IP address known to be active with STARDUST CHOLLIMA since December 2025, and 23.254.167[.]216, which previously served as a C2 server for FAMOUS CHOLLIMA’s InvisibleFerret malware in May 2025. The domain’s registration through Hostwinds is also consistent with prior STARDUST CHOLLIMA infrastructure patterns.

What You Should Do

  • Developers utilizing the Axios npm package must immediately audit their development environments for any indicators of compromise.
  • Organizations should implement rigorous verification of package integrity before deployment and integrate software composition analysis (SCA) tools into their CI/CD pipelines.
  • All credentials associated with npm maintainer accounts should be rotated without delay.
  • Continuously monitor outbound network connections for any anomalous traffic directed towards unknown or suspicious domains.
  • Security teams should treat any communication with sfrclak[.]com or its associated IP addresses (142.11.206[.]73, 23.254.203[.]244, 23.254.167[.]216) as a critical indicator of compromise and initiate immediate investigations of affected systems.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

North Korean Hackers Abuse GitHub in LNK Phishing Attacks

Next Post

CERT-EU: Trivy Supply Chain Attack Breached European Commission AWS

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AI Poisoning Attack Abuses SEO and Hidden HTML to Trick AI Agents
July 3, 2026
Nebula AI Platform Automates Pen Testing to Find Vulnerabilities
July 3, 2026
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us