The Axios npm package, a widely used HTTP client library with more than 100,000 weekly downloads, was compromised on March 31, 2026, after attackers used stolen maintainer credentials to push malicious code.
Cybersecurity firm CrowdStrike said the attack likely came from the threat group Stardust Chollima, citing overlaps in infrastructure and the use of a known malware family called ZshBucket.
This latest breach highlights the growing risk of software supply chain attacks, where widely used open-source tools become a gateway for malware distribution at scale.
The malicious update introduced new variants of ZshBucket that can run on Linux, macOS, and Windows. Earlier versions were only seen on macOS, indicating a broader and more aggressive reach in this incident.
The malware collects system and user data, then sends it back to the attacker. It also comes with expanded capabilities, including running commands, injecting additional payloads, scanning files, and remotely shutting itself down.
CrowdStrike said the attackers improved how the malware communicates by using a unified JSON-based messaging protocol across all platforms. This replaces earlier, simpler methods that mainly downloaded and executed files.
“CrowdStrike Intelligence attributes this activity to Stardust Chollima with moderate confidence based on the use of updated ZshBucket malware and infrastructure overlaps with previous operations,” the company said in a blog post.
However, the report noted that some infrastructure also overlaps with another group, Famous Chollima, making full attribution less certain.
“The infrastructure also overlaps with Famous Chollima operations, precluding a higher confidence assessment,” CrowdStrike said.
Despite that, the newer and more advanced malware used in this attack suggests Stardust Chollima is the more likely actor.
The exact targets remain unclear, but Axios is widely used in web and app development, making it a high-impact entry point. CrowdStrike noted that Stardust Chollima often targets cryptocurrency users and fintech platforms, typically aiming to generate revenue.
The firm added that the group’s activity has increased since late 2025, with more frequent and technically advanced attacks.