(crowdstrike.com) STARDUST CHOLLIMA Compromises Axios npm Package with Updated ZshBucket Malware in Supply Chain Attack

STARDUST CHOLLIMA (DPRK) compromised the Axios npm package (100K+ weekly downloads) via stolen maintainer credentials, deploying updated ZshBucket malware targeting Linux/macOS/Windows in a supply chain attack.

In brief - A DPRK-nexus threat actor conducted a supply chain compromise of the widely used Axios npm package, deploying cross-platform ZshBucket malware variants. The attack aligns with currency generation objectives, leveraging stolen credentials and infrastructure linked to prior STARDUST CHOLLIMA and FAMOUS CHOLLIMA operations.

Technically - The updated ZshBucket variants introduce a JSON-based C2 protocol, enabling binary payload injection, arbitrary command execution, and file system enumeration. macOS variants reuse legacy code while Windows/Linux versions expand capabilities. C2 infrastructure sfrclak[.]com (142.11.206[.]73) shares host banner hashes (c373706b3456c36e8baa0a3ee5aed358c1fe07cba04f65790c90f029971e378a) with known STARDUST CHOLLIMA (23.254.203[.]244) and FAMOUS CHOLLIMA (23.254.167[.]216) IPs, confirming attribution.

Source: https://www.crowdstrike.com/en-us/blog/stardust-chollima-likely-compromises-axios-npm-package/

#Cybersecurity #ThreatIntel