Your network sees everything. Every login. Every data transfer. Every suspicious packet trying to sneak past your defences.
Thursday, April 9, 2026
The Impact of AI on Digital Sovereignty
Artificial intelligence (AI) is reshaping how organizations operate, compete, and innovate. From predictive analytics and automation to generative AI and decision support, AI is becoming deeply embedded in enterprise workflows. The recent 451 Research Voice of the Enterprise (VotE) Agentic AI study revealed that over a third of enterprises (34%) have embedded agents already in use and the vast majority (73%) expect to have them in place within twelve months. But as adoption accelerates, AI is also forcing enterprises and governments to confront a critical question: who truly controls the data, systems, and intelligence powering these technologies?
STARDUST CHOLLIMA Likely Compromises Axios npm Package
On March 31, 2026, a threat actor used stolen maintainer credentials to compromise the widely used HTTP client library Axios Node Package Manager (npm) package and deploy platform-specific ZshBucket variants. CrowdStrike Counter Adversary Operations attributes this activity to STARDUST CHOLLIMA with moderate confidence based on the adversary’s deployment of updated variants of ZshBucket (malware uniquely attributed to STARDUST CHOLLIMA) and overlaps with known STARDUST CHOLLIMA infrastructure.
ZshBucket can be used to target Linux, macOS, and Windows systems; previously, only macOS variants of ZshBucket had been observed. The observed macOS variant in this case extensively reuses code from previous instances, including function names. All variants retain characteristics of previous instances, including how it profiles the user and host of the operating system, and how it sends the collected information.
The adversary made the following significant updates to the functionality and messaging protocol in the ZshBucket instance deployed in this incident compared to previous variants:
- Implemented a common JSON-based messaging protocol for all platform-specific instances
- Implemented commands that enable the operator to inject binary payloads, execute arbitrary scripts and commands, enumerate the file system, and remotely terminate the implant; these commands replace previous instances’ simple download and execute functionality
Related Infrastructure
The domain sfrclak[.]com — hosted at 142.11.206[.]73 and later used as a command-and-control (C2) address — shares a host services banner hash (c373706b3456c36e8baa0a3ee5aed358c1fe07cba04f65790c90f029971e378a) with two additional IP addresses: 23.254.203[.]244 and 23.254.167.216. The IP address 23.254.203[.]244 is a known STARDUST CHOLLIMA IP address first observed in December 2025, and 23.254.167[.]216 was previously used as a C2 server for FAMOUS CHOLLIMA’s InvisibleFerret malware in May 2025. The domain is also registered on the Hostwinds hosting provider, consistent with STARDUST CHOLLIMA’s previously observed operations.
Assessment
CrowdStrike Intelligence attributes this activity to STARDUST CHOLLIMA with moderate confidence based on the use of an updated ZshBucket instance — malware uniquely attributed to STARDUST CHOLLIMA — as well as infrastructure overlaps with STARDUST CHOLLIMA’s previous operations. However, the infrastructure also overlaps with FAMOUS CHOLLIMA operations, precluding a higher confidence assessment.
DPRK-nexus adversaries frequently share infrastructure, and FAMOUS CHOLLIMA has historically deployed DPRK-associated tooling and has extensively abused npm repositories in their operations. As such, FAMOUS CHOLLIMA could be responsible for this incident. However, the updated ZshBucket variants deployed in this supply chain compromise are more technically advanced than the malware FAMOUS CHOLLIMA typically uses, and this incident is more likely attributable to STARDUST CHOLLIMA.
The intended targets of this compromise are unclear. The Axios npm package is a commonly used HTTP client library that is downloaded more than 100,000 times per week. STARDUST CHOLLIMA’s operations prioritize currency generation and regularly target cryptocurrency holders, and the adversary has also conducted widespread supply chain compromises impacting fintech companies’ npm and PyPi repositories. Based on these factors, CrowdStrike Counter Adversary Operations assesses the adversary’s motivation probably aligns with this currency generation objective.
Since the end of Q4 2025, STARDUST CHOLLIMA’s operational tempo has surged and has continued at this pace. This supply chain attack leveraging updated ZshBucket variants is further evidence that the adversary intends to scale their operations in the near term.
Forensic Accountant: How to Become a Forensic Accountant
In an intricate global economy that relies more and more heavily on technology with every passing year, the demand for forensic accountants is expected to grow. But is it the right field for you? What sorts of tasks will you be responsible for performing, what education requirements will you need to complete, and what sort of job outlook or earning potential can you expect in the coming decade? This article answers all of these questions and more so that you can determine whether a forensic accounting degree program might be compatible with your interests, goals, and skills.