CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 01, 2026

Famous Chollima Hackers Target PHP Developers Using Compromised Packagist Package

Cybersecurity News Archived Jun 01, 2026 ✓ Full text saved

A well-known North Korean threat actor has been caught hiding malware inside a legitimate PHP package available through Packagist, the main package repository for PHP projects. The attack takes direct aim at software developers, disguising a dangerous payload as a routine configuration file. This kind of campaign blends in easily with normal development workflows, making […] The post Famous Chollima Hackers Target PHP Developers Using Compromised Packagist Package appeared first on Cyber Securit

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Famous Chollima Hackers Target PHP Developers Using Compromised Packagist Package By Tushar Subhra Dutta June 1, 2026 A well-known North Korean threat actor has been caught hiding malware inside a legitimate PHP package available through Packagist, the main package repository for PHP projects. The attack takes direct aim at software developers, disguising a dangerous payload as a routine configuration file. This kind of campaign blends in easily with normal development workflows, making it especially hard to detect before any damage is done. The threat group behind this attack is known as Famous Chollima, a North Korean state-sponsored hacking crew with a long history of targeting developers. They originally gained attention for sneaking operatives into companies as fake employees. More recently, they have turned that tactic around by creating fake job offers and developer tasks to trick engineers into running malicious code on their own machines. Security researchers at Socket.dev said in a report shared with Cyber Security News (CSN) that they discovered malicious JavaScript hidden inside a file called tailwind.js, bundled with the Packagist development version dev-drewroberts/feature/test-case of the PHP package roberts/leads. The package itself belongs to a legitimate maintainer named Drew Roberts, suggesting either a branch-level compromise or a poisoned workflow injection rather than a wholly fabricated fake package. The malware sits quietly inside what looks like a standard Tailwind CSS configuration file. The harmful code is tucked away far to the right of the screen, hidden behind a large block of blank space that keeps it invisible during casual code review. Once that obfuscated code runs, it quietly transforms into a full JavaScript malware loader operating inside Node.js. The fact that the malicious version is buried in a development branch is a telling sign. Packagist dev versions require explicit installation commands, meaning victims would likely be directed to run a very specific command, the kind that fits naturally into a fake interview or developer onboarding task. Famous Chollima appears to have designed this campaign to target one developer at a time rather than cause widespread, noisy infections. Famous Chollima Hackers Target PHP Developers The malicious loader inside tailwind.js does not work like ordinary malware that reaches out to a suspicious server. Instead, it contacts public blockchain services, specifically TRON, Aptos, and BNB Smart Chain, to pull down encrypted payload data stored inside blockchain transaction records. This dead-drop method means there is no traditional command-and-control domain to block, making detection much harder for standard security tools. Packagist listed the affected roberts – leads dev branch as an installable version (Source – Socket.dev) The loader uses hardcoded XOR keys to decrypt the material it retrieves and then runs the result directly inside Node.js using eval(). It can also quietly launch a second hidden process in the background using child_process.spawn() with the windowsHide flag set to true, keeping everything out of sight on Windows systems. The campaign marker global['!']='9-0264-2' embedded in the code is a known identifier tied to prior Famous Chollima operations, linking this directly to malware families including DEV#POPPER RAT, OmniStealer, and BeaverTail payloads. Exfiltration Scope and What Developers Are at Risk The local loader does not directly steal files on its own, but the remote payload it fetches can access nearly everything on the victim’s machine. Once inside Node.js, the delivered malware can read environment variables holding cloud credentials and CI secrets, grab local files such as .env files and SSH keys, access stored tokens, and run additional processes. The real damage sits inside the payload retrieved from the blockchain, not in the visible code itself. Developers should treat any unfamiliar build instruction received during a job interview or remote task as a potential code execution event. Before running any unknown PHP or JavaScript project, manually inspect files like tailwind.js, webpack.mix.js, vite.config.*, postcss.config.*, and .github/workflows. Security teams should watch for Node.js processes connecting to blockchain or RPC services during build pipelines, and organizations should avoid exposing long-lived cloud credentials to branch-level builds. Package consumers should always pin stable, known-good versions and avoid dev branches unless absolutely necessary. The affected Packagist version was reported and has since been removed following Socket’s disclosure. Indicators of Compromise (IoCs):- Type Indicator Description Package Version dev-drewroberts/feature/test-case Affected Packagist dev version of roberts/leads GitHub Branch drewroberts/feature/test-case Mapped malicious GitHub branch File Name tailwind.js Affected file containing hidden malicious payload Branch Commit 6c5c3c7655ce76399af11126b7e9a9058eb2e45d Observed commit hash on affected branch URL https://packagist.org/packages/roberts/leads Packagist package URL URL https://github.com/roberts/leads Affected repository URL SHA-256 522b28a2f78771715497ba53729d4ab9a50e982322c391379f3bddf7c8cb363f Archive hash SHA-256 96afdba882046385242cbed46871e41147c8055c5d9eff7460847b2c01a77dc3 tailwind.js file hash TRON Wallet TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP First-stage TRON wallet used as dead-drop payload pointer TRON Wallet TXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG Second-stage TRON wallet used as dead-drop payload pointer Aptos Address 0xbe037400670fbf1c32364f762975908dc43eeb38759263e7dfcdabc76380811e First-stage Aptos fallback identifier Aptos Address 0x3f0e5781d0855fb460661ac63257376db1941b2bb522499e4757ecb3ebd5dce3 Second-stage Aptos fallback identifier XOR Key 2[gWfGj;<:-93Z^C First-stage hardcoded XOR decryption key XOR Key m6:tTh^D)cBz?NM] Second-stage hardcoded XOR decryption key Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Microsoft Defender Now Automatically Isolates Compromised Devices to Stop Ransomware Apple’s New Anti-Snatching Feature Will Auto-Lock iPhones When Stolen From Your Hand GREYVIBE Hackers Leverage ChatGPT and Google Gemini to Fuel Cyberattacks MiniUpdate RAT Uses Azure-Hosted C2 Domains for Targeted Espionage Campaigns PuTTY 0.84 Released With Fix for SSH KEX Crashes and Telnet Prompt Spoofing Flaw Latest News Cyber Security News Microsoft Clarifies It Won’t Sue Security Researchers Amid Nightmare-Eclipse Controversy Cyber Security Instagram Meta AI Vulnerability Allegedly Enables Password Reset for Accounts Cyber Security Windows Netlogon 0-Click RCE Vulnerability Now Actively Exploited In The Wild Cyber Security News Microsoft Releases KB5089573 for Windows 11 to Fix Patch Tuesday Install Issues Cyber Security News GitLab Patches Multiple Duo AI, DoS, and Authorization Flaws in Community and Enterprise Edition
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 01, 2026
    Archived
    Jun 01, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗