By utilizing stolen maintainer credentials, the attackers hijacked this widely used HTTP client library to distribute advanced malware to unsuspecting developers.
The malicious payload, identified as updated variants of the ZshBucket malware, was secretly deployed across multiple operating systems.
Security researchers at CrowdStrike Counter Adversary Operations attribute this sophisticated breach to the North Korea-linked threat group known as STARDUST CHOLLIMA, assigning moderate confidence to the assessment.
Historically, security researchers had only observed ZshBucket operating as a macOS-specific threat. However, the Axios compromise marks a severe escalation in the malware’s reach and capabilities.
The newly discovered variants are now designed to cross platform boundaries, actively targeting Linux, macOS, and Windows systems alike.
While the new macOS variant heavily reuses code and function names from older versions, all the updated variants maintain their core profiling features.
They expertly scan the infected operating system to quietly gather user and host data before transmitting it back to the attackers.
Connecting this attack to North Korean state-sponsored actors required careful analysis of the attacker’s command-and-control (C2) network.
The attackers utilized a specific domain for their C2 server, which shares a unique host services banner hash with two notable IP addresses.
One of these addresses is directly tied to previous STARDUST CHOLLIMA operations, first observed in December 2025.
The second IP address was previously used in May 2025 as a C2 server for the InvisibleFerret malware, a tool linked to another North Korean group called FAMOUS CHOLLIMA.
Because North Korean threat groups frequently share infrastructure and tools, pinpointing the exact responsible group is challenging.
FAMOUS CHOLLIMA has a known history of abusing npm repositories in its past operations. However, CrowdStrike leans toward STARDUST CHOLLIMA for this specific attack because ZshBucket is uniquely attributed to them.
Additionally, the highly advanced nature of these updated variants aligns much better with STARDUST CHOLLIMA’s technical capabilities. In contrast, FAMOUS CHOLLIMA typically relies on less sophisticated tooling.
Ultimately, the underlying motive for this supply chain attack appears to be financial. STARDUST CHOLLIMA heavily prioritizes generating illicit currency, frequently targeting cryptocurrency holders and financial technology companies.
By compromising a massive repository like Axios, the attackers cast a massive net to capture high-value targets in the fintech sector.
With STARDUST CHOLLIMA’s operational tempo surging continuously since late 2025, this incident serves as a stark warning that the adversary is aggressively scaling their operations to infiltrate global software supply chains.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Axios npm Package Compromised by North Korea-Linked Threat Actors appeared first on Cyber Security News.
50 Years Ago The Northampton City Council last night took under advisement Charles J. Eberlein’s…
AMHERST — Reductions in federal funding for research and development could negatively impact the Massachusetts…
NORTHAMPTON — Passover in the Jewish community is a family affair — an annual spring…
Mark Roberts Motion Control (MRMC) appointed Nick Barthee as COO to lead global operations and…
NBC Sports is using the GoVertical! AiDi feature of viztrick AiDi to stream live sporting…
Globo, a Latin American media group, transitioned its primary content distribution to Synamedia Secure Reliable…
This website uses cookies.