CrowdStrike reports that a threat actor used stolen maintainer credentials on March 31, 2026 to compromise the widely used Axios npm package and deploy updated, platform-specific ZshBucket variants. The activity is attributed to STARDUST CHOLLIMA with moderate confidence based on ZshBucket use and infrastructure overlaps, though shared DPRK infrastructure with FAMOUS CHOLLIMA prevents higher confidence. The malicious chain targeted Linux, macOS, and Windows systems, with ZshBucket gaining a common JSON messaging protocol and commands for binary injection, script and command execution, filesystem enumeration, and implant termination. Infrastructure centered on sfrclak[.]com at 142.11.206[.]73, with related Hostwinds-hosted IPs overlapping prior STARDUST CHOLLIMA and FAMOUS CHOLLIMA activity. The incident matters because Axios is a high-volume open-source dependency and the updated malware suggests a DPRK-linked actor seeking to scale supply chain access, likely aligned with currency-generation objectives.