Famous Chollima Hackers Target PHP Developers Using Compromised Packagist Package
Cybersecurity NewsArchived Jun 01, 2026✓ Full text saved
A well-known North Korean threat actor has been caught hiding malware inside a legitimate PHP package available through Packagist, the main package repository for PHP projects. The attack takes direct aim at software developers, disguising a dangerous payload as a routine configuration file. This kind of campaign blends in easily with normal development workflows, making […] The post Famous Chollima Hackers Target PHP Developers Using Compromised Packagist Package appeared first on Cyber Securit
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Famous Chollima Hackers Target PHP Developers Using Compromised Packagist Package
By Tushar Subhra Dutta
June 1, 2026
A well-known North Korean threat actor has been caught hiding malware inside a legitimate PHP package available through Packagist, the main package repository for PHP projects.
The attack takes direct aim at software developers, disguising a dangerous payload as a routine configuration file. This kind of campaign blends in easily with normal development workflows, making it especially hard to detect before any damage is done.
The threat group behind this attack is known as Famous Chollima, a North Korean state-sponsored hacking crew with a long history of targeting developers.
They originally gained attention for sneaking operatives into companies as fake employees. More recently, they have turned that tactic around by creating fake job offers and developer tasks to trick engineers into running malicious code on their own machines.
Security researchers at Socket.dev said in a report shared with Cyber Security News (CSN) that they discovered malicious JavaScript hidden inside a file called tailwind.js, bundled with the Packagist development version dev-drewroberts/feature/test-case of the PHP package roberts/leads.
The package itself belongs to a legitimate maintainer named Drew Roberts, suggesting either a branch-level compromise or a poisoned workflow injection rather than a wholly fabricated fake package.
The malware sits quietly inside what looks like a standard Tailwind CSS configuration file. The harmful code is tucked away far to the right of the screen, hidden behind a large block of blank space that keeps it invisible during casual code review.
Once that obfuscated code runs, it quietly transforms into a full JavaScript malware loader operating inside Node.js.
The fact that the malicious version is buried in a development branch is a telling sign.
Packagist dev versions require explicit installation commands, meaning victims would likely be directed to run a very specific command, the kind that fits naturally into a fake interview or developer onboarding task.
Famous Chollima appears to have designed this campaign to target one developer at a time rather than cause widespread, noisy infections.
Famous Chollima Hackers Target PHP Developers
The malicious loader inside tailwind.js does not work like ordinary malware that reaches out to a suspicious server.
Instead, it contacts public blockchain services, specifically TRON, Aptos, and BNB Smart Chain, to pull down encrypted payload data stored inside blockchain transaction records.
This dead-drop method means there is no traditional command-and-control domain to block, making detection much harder for standard security tools.
Packagist listed the affected roberts – leads dev branch as an installable version (Source – Socket.dev)
The loader uses hardcoded XOR keys to decrypt the material it retrieves and then runs the result directly inside Node.js using eval().
It can also quietly launch a second hidden process in the background using child_process.spawn() with the windowsHide flag set to true, keeping everything out of sight on Windows systems.
The campaign marker global['!']='9-0264-2' embedded in the code is a known identifier tied to prior Famous Chollima operations, linking this directly to malware families including DEV#POPPER RAT, OmniStealer, and BeaverTail payloads.
Exfiltration Scope and What Developers Are at Risk
The local loader does not directly steal files on its own, but the remote payload it fetches can access nearly everything on the victim’s machine.
Once inside Node.js, the delivered malware can read environment variables holding cloud credentials and CI secrets, grab local files such as .env files and SSH keys, access stored tokens, and run additional processes.
The real damage sits inside the payload retrieved from the blockchain, not in the visible code itself.
Developers should treat any unfamiliar build instruction received during a job interview or remote task as a potential code execution event.
Before running any unknown PHP or JavaScript project, manually inspect files like tailwind.js, webpack.mix.js, vite.config.*, postcss.config.*, and .github/workflows.
Security teams should watch for Node.js processes connecting to blockchain or RPC services during build pipelines, and organizations should avoid exposing long-lived cloud credentials to branch-level builds.
Package consumers should always pin stable, known-good versions and avoid dev branches unless absolutely necessary. The affected Packagist version was reported and has since been removed following Socket’s disclosure.
Indicators of Compromise (IoCs):-
Type Indicator Description
Package Version dev-drewroberts/feature/test-case Affected Packagist dev version of roberts/leads
GitHub Branch drewroberts/feature/test-case Mapped malicious GitHub branch
File Name tailwind.js Affected file containing hidden malicious payload
Branch Commit 6c5c3c7655ce76399af11126b7e9a9058eb2e45d Observed commit hash on affected branch
URL https://packagist.org/packages/roberts/leads Packagist package URL
URL https://github.com/roberts/leads Affected repository URL
SHA-256 522b28a2f78771715497ba53729d4ab9a50e982322c391379f3bddf7c8cb363f Archive hash
SHA-256 96afdba882046385242cbed46871e41147c8055c5d9eff7460847b2c01a77dc3 tailwind.js file hash
TRON Wallet TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP First-stage TRON wallet used as dead-drop payload pointer
TRON Wallet TXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG Second-stage TRON wallet used as dead-drop payload pointer
Aptos Address 0xbe037400670fbf1c32364f762975908dc43eeb38759263e7dfcdabc76380811e First-stage Aptos fallback identifier
Aptos Address 0x3f0e5781d0855fb460661ac63257376db1941b2bb522499e4757ecb3ebd5dce3 Second-stage Aptos fallback identifier
XOR Key 2[gWfGj;<:-93Z^C First-stage hardcoded XOR decryption key
XOR Key m6:tTh^D)cBz?NM] Second-stage hardcoded XOR decryption key
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
Microsoft Defender Now Automatically Isolates Compromised Devices to Stop Ransomware
Apple’s New Anti-Snatching Feature Will Auto-Lock iPhones When Stolen From Your Hand
GREYVIBE Hackers Leverage ChatGPT and Google Gemini to Fuel Cyberattacks
MiniUpdate RAT Uses Azure-Hosted C2 Domains for Targeted Espionage Campaigns
PuTTY 0.84 Released With Fix for SSH KEX Crashes and Telnet Prompt Spoofing Flaw
Latest News
Cyber Security News
Microsoft Clarifies It Won’t Sue Security Researchers Amid Nightmare-Eclipse Controversy
Cyber Security
Instagram Meta AI Vulnerability Allegedly Enables Password Reset for Accounts
Cyber Security
Windows Netlogon 0-Click RCE Vulnerability Now Actively Exploited In The Wild
Cyber Security News
Microsoft Releases KB5089573 for Windows 11 to Fix Patch Tuesday Install Issues
Cyber Security News
GitLab Patches Multiple Duo AI, DoS, and Authorization Flaws in Community and Enterprise Edition