![Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/video-ATTCK2-1?wid=530&hei=349&fmt=png-alpha&qlt=95,0&resMode=sharp2&op_usm=3.0,0.3,2,0)
![Qatar’s Commercial Bank Chooses CrowdStrike Falcon®: A Partnership Based on Trust [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/Edward-Gonam-Qatar-Blog2-1?wid=530&hei=349&fmt=png-alpha&qlt=95,0&resMode=sharp2&op_usm=3.0,0.3,2,0)
?wid=2048&hei=1350&fmt=png-alpha&qlt=95,0&resMode=sharp2&op_usm=3.0,0.3,2,0)
On March 31, 2026, a threat actor used stolen maintainer credentials to compromise the widely used HTTP client library Axios Node Package Manager (npm) package and deploy platform-specific ZshBucket variants. CrowdStrike Counter Adversary Operations attributes this activity to STARDUST CHOLLIMA with moderate confidence based on the adversary’s deployment of updated variants of ZshBucket (malware uniquely attributed to STARDUST CHOLLIMA) and overlaps with known STARDUST CHOLLIMA infrastructure.
ZshBucket can be used to target Linux, macOS, and Windows systems; previously, only macOS variants of ZshBucket had been observed. The observed macOS variant in this case extensively reuses code from previous instances, including function names. All variants retain characteristics of previous instances, including how it profiles the user and host of the operating system, and how it sends the collected information.
The adversary made the following significant updates to the functionality and messaging protocol in the ZshBucket instance deployed in this incident compared to previous variants:
- Implemented a common JSON-based messaging protocol for all platform-specific instances
- Implemented commands that enable the operator to inject binary payloads, execute arbitrary scripts and commands, enumerate the file system, and remotely terminate the implant; these commands replace previous instances’ simple download and execute functionality
Related Infrastructure
The domain sfrclak[.]com — hosted at 142.11.206[.]73 and later used as a command-and-control (C2) address — shares a host services banner hash (c373706b3456c36e8baa0a3ee5aed358c1fe07cba04f65790c90f029971e378a) with two additional IP addresses: 23.254.203[.]244 and 23.254.167.216. The IP address 23.254.203[.]244 is a known STARDUST CHOLLIMA IP address first observed in December 2025, and 23.254.167[.]216 was previously used as a C2 server for FAMOUS CHOLLIMA’s InvisibleFerret malware in May 2025. The domain is also registered on the Hostwinds hosting provider, consistent with STARDUST CHOLLIMA’s previously observed operations.
Assessment
CrowdStrike Intelligence attributes this activity to STARDUST CHOLLIMA with moderate confidence based on the use of an updated ZshBucket instance — malware uniquely attributed to STARDUST CHOLLIMA — as well as infrastructure overlaps with STARDUST CHOLLIMA’s previous operations. However, the infrastructure also overlaps with FAMOUS CHOLLIMA operations, precluding a higher confidence assessment.
DPRK-nexus adversaries frequently share infrastructure, and FAMOUS CHOLLIMA has historically deployed DPRK-associated tooling and has extensively abused npm repositories in their operations. As such, FAMOUS CHOLLIMA could be responsible for this incident. However, the updated ZshBucket variants deployed in this supply chain compromise are more technically advanced than the malware FAMOUS CHOLLIMA typically uses, and this incident is more likely attributable to STARDUST CHOLLIMA.
The intended targets of this compromise are unclear. The Axios npm package is a commonly used HTTP client library that is downloaded more than 100,000 times per week. STARDUST CHOLLIMA’s operations prioritize currency generation and regularly target cryptocurrency holders, and the adversary has also conducted widespread supply chain compromises impacting fintech companies’ npm and PyPi repositories. Based on these factors, CrowdStrike Counter Adversary Operations assesses the adversary’s motivation probably aligns with this currency generation objective.
Since the end of Q4 2025, STARDUST CHOLLIMA’s operational tempo has surged and has continued at this pace. This supply chain attack leveraging updated ZshBucket variants is further evidence that the adversary intends to scale their operations in the near term.
Additional Resources
- Dive deeper into topics like this at Fal.Con 2026 with expert-led sessions, hands-on training, and real-world insights.
- Read the CrowdStrike 2026 Global Threat Report for the latest insights on adversaries, tradecraft, and activity.
- Visit the Counter Adversary Operations webpage to learn about CrowdStrike’s threat intelligence and hunting solutions.
