STARDUST CHOLLIMA Likely Compromises Axios npm Package
Contents
On March 31, 2026, a threat actor used stolen maintainer credentials to compromise the widely used HTTP client library Axios Node Package Manager (npm) package and deploy platform-specific ZshBucket variants. CrowdStrike Counter Adversary Operations attributes this activity to STARDUST CHOLLIMA with moderate confidence based on the adversary’s deployment of updated variants of ZshBucket (malware uniquely attributed to STARDUST CHOLLIMA) and overlaps with known STARDUST CHOLLIMA infrastructure.
ZshBucket can be used to target Linux, macOS, and Windows systems; previously, only macOS variants of ZshBucket had been observed. The observed macOS variant in this case extensively reuses code from previous instances, including function names. All variants retain characteristics of previous instances, including how it profiles the user and host of the operating system, and how it sends the collected information.
The adversary made the following significant updates to the functionality and messaging protocol in the ZshBucket instance deployed in this incident compared to previous …
ZshBucket can be used to target Linux, macOS, and Windows systems; previously, only macOS variants of ZshBucket had been observed. The observed macOS variant in this case extensively reuses code from previous instances, including function names. All variants retain characteristics of previous instances, including how it profiles the user and host of the operating system, and how it sends the collected information.
The adversary made the following significant updates to the functionality and messaging protocol in the ZshBucket instance deployed in this incident compared to previous …
IoC
http://23.254.203.244
http://142.11.206.73
http://23.254.167.216
http://sfrclak.com
23.254.203.244
23.254.167.216
142.11.206.73
[email protected]
[email protected]
c373706b3456c36e8baa0a3ee5aed358c1fe07cba04f65790c90f029971e378a
http://142.11.206.73
http://23.254.167.216
http://sfrclak.com
23.254.203.244
23.254.167.216
142.11.206.73
[email protected]
[email protected]
c373706b3456c36e8baa0a3ee5aed358c1fe07cba04f65790c90f029971e378a