North Korean Hackers Compromised the Axios npm Package — And It Took Less Than a Day

On March 31, 2026, somebody used stolen maintainer credentials to push malicious code into Axios — the ubiquitous HTTP client library downloaded over 100,000 times per week on npm. Within hours, developers worldwide were pulling compromised versions containing platform-specific variants of ZshBucket, a malware family uniquely attributed to North Korean state-sponsored hackers.

CrowdStrike Counter Adversary Operations published its attribution on April 1, assessing with moderate confidence that the attack was conducted by STARDUST CHOLLIMA — a DPRK-nexus adversary group primarily focused on cryptocurrency theft and financial operations.

For anyone running OpenClaw or any Node.js-based AI agent infrastructure, this is a direct supply chain threat.

What Happened

The attack followed the now-familiar playbook: compromise a package maintainer’s credentials, push a malicious update to a widely depended-upon library, and let the dependency graph do the distribution work.

But the payload was anything but typical.

ZshBucket — previously observed only targeting macOS — arrived in updated, cross-platform form:

• Linux, macOS, and Windows variants, all sharing a common JSON-based messaging protocol
• Full remote access: binary payload injection, arbitrary script and command execution, file system enumeration, and remote implant termination
• Host profiling: each variant fingerprints the operating system and user environment before phoning home

The macOS variant extensively reused code from previous STARDUST CHOLLIMA instances, including function names — which is what enabled CrowdStrike’s attribution.

The Infrastructure Trail

CrowdStrike traced the command-and-control infrastructure to sfrclak[.]com, hosted at 142.11.206[.]73. The domain’s host services banner hash matched two additional IP addresses:

• 23.254.203[.]244 — a known STARDUST CHOLLIMA IP first observed in December 2025
• 23.254.167[.]216 — previously used as a C2 server for FAMOUS CHOLLIMA’s InvisibleFerret malware in May 2025

Both the Hostwinds hosting provider choice and the infrastructure overlap are consistent with DPRK-nexus operations. However, the shared infrastructure between STARDUST and FAMOUS CHOLLIMA is also why CrowdStrike stopped at “moderate confidence” rather than high.

Why This Matters More Than a Typical npm Attack

Axios isn’t some obscure utility package. It’s a foundational dependency — the kind that sits in the node_modules of virtually every enterprise Node.js application, every serverless function, and every AI agent framework that makes HTTP calls.

The blast radius is enormous:

• 100,000+ weekly downloads — meaning thousands of CI/CD pipelines likely pulled the compromised version before it was caught
• Cross-platform malware — for the first time, ZshBucket targets Linux and Windows in addition to macOS, dramatically expanding the attack surface
• AI agent infrastructure is especially exposed — OpenClaw, LangChain, and similar frameworks all run Node.js processes that make HTTP calls. A compromised Axios means the agent’s own HTTP client is weaponized

This isn’t the first time STARDUST CHOLLIMA has targeted npm. The group has a documented history of supply chain compromises hitting fintech companies through both npm and PyPi repositories. But Axios represents a significant escalation in target selection — from niche fintech packages to a library that is essentially infrastructure for the JavaScript ecosystem.

DPRK’s Escalating Tempo

CrowdStrike notes that since Q4 2025, STARDUST CHOLLIMA’s operational tempo has surged and shows no sign of slowing. This Axios compromise — deploying upgraded, cross-platform malware through a top-tier npm package — signals the group intends to scale operations further.

The motivation is almost certainly financial. STARDUST CHOLLIMA’s operations consistently prioritize currency generation, with cryptocurrency holders and financial service providers as primary targets. Given that AI agent operators frequently hold API keys with billing attached (OpenAI, Anthropic, cloud providers), the intersection between AI infrastructure and crypto-adjacent targets is narrowing fast.

The Claude Code Connection

This attack arrives just days after a separate supply chain incident: the Claude Code source code leak led to fake GitHub repositories distributing Vidar information-stealing malware disguised as “unlocked enterprise features” of Claude Code. According to Cyware threat intelligence, threat actors quickly created fraudulent repos exploiting the leak.

Two supply chain attacks targeting AI developer infrastructure in the same week. The pattern is clear: AI agent toolchains are now high-value targets for nation-state actors.

What OpenClaw Users Should Do Right Now

1. Check Your Axios Version

# In your OpenClaw workspace or any Node.js project
npm ls axios
# or
pnpm ls axios

If you’re running a version published on or after March 31, 2026, update immediately to a verified clean version.

2. Audit Your Lock Files

# Check when your axios dependency was last updated
git log --oneline -p -- package-lock.json | grep axios | head -20

Lock files should pin to known-good versions. If your lock file was regenerated during the compromise window, regenerate it from a clean state.

3. Monitor for ZshBucket Indicators

CrowdStrike published the following indicators:

• C2 domain: sfrclak[.]com
• C2 IP: 142.11.206[.]73
• Related IPs: 23.254.203[.]244, 23.254.167[.]216

Check your network logs and DNS queries for any connections to these addresses.

4. Restrict Agent Network Access

If you’re running OpenClaw in production, this is another argument for strict network egress controls:

# Example: restrict outbound connections
# Only allow your agent to reach known-good API endpoints

An agent whose HTTP client has been compromised can exfiltrate credentials, API keys, and conversation data without any visible change in behavior.

5. Use npm Provenance and Signature Verification

# Verify package provenance
npm audit signatures

npm’s provenance attestation system can flag packages that weren’t built through their expected CI pipeline — though it only works for packages that have opted in.

The Bigger Picture

The Axios compromise is the latest data point in a trend that’s been accelerating all year:

• Langflow CVE-2026-33017 — exploited within 20 hours of disclosure
• TeamPCP/LiteLLM supply chain attack — compromised Mercor’s $10B AI training operation
• Claude Code source leak — weaponized within days for malware distribution
• hackerbot-claw — AI bot exploiting GitHub Actions at Microsoft, Datadog, Aqua Security

The advisory-to-exploit window has collapsed. The supply chain attack surface has expanded to include every dependency in the AI agent stack. And nation-state actors — not just opportunistic hackers — are now actively targeting the infrastructure that AI agents run on.

The next compromised package might not be Axios. It might be something deeper in your dependency tree, something you’ve never directly installed but that runs with your agent’s full permissions.

Lock your dependencies. Verify your signatures. Monitor your egress. The supply chain is the attack surface.