STARDUST CHOLLIMA Likely Compromises Axios npm Package

In early April 2026, CrowdStrike Counter Adversary Operations reported that the Axios npm package, a widely used HTTP client library, was likely compromised by the threat actor STARDUST CHOLLIMA, utilizing stolen maintainer credentials to deploy platform-specific ZshBucket malware variants. These variants targeted Linux, macOS, and Windows systems, with updated functionality allowing for more complex operations compared to previous iterations. The attack's infrastructure overlaps with known STARDUST CHOLLIMA and FAMOUS CHOLLIMA operations, though the former is attributed with moderate confidence due to the advanced technical nature of the new ZshBucket variants. The motivation behind the compromise, which aligns with a pattern of targeting cryptocurrency holders and fintech companies, appears to be currency generation. The incident reflects a broader trend of increased operational activity by STARDUST CHOLLIMA since late 2025, suggesting plans to scale operations further.