A well-known North Korean threat actor has been caught hiding malware inside a legitimate PHP package available through Packagist, the main package repository for PHP projects.
The attack takes direct aim at software developers, disguising a dangerous payload as a routine configuration file. This kind of campaign blends in easily with normal development workflows, making it especially hard to detect before any damage is done.
The threat group behind this attack is known as Famous Chollima, a North Korean state-sponsored hacking crew with a long history of targeting developers.
They originally gained attention for sneaking operatives into companies as fake employees. More recently, they have turned that tactic around by creating fake job offers and developer tasks to trick engineers into running malicious code on their own machines.
Security researchers at Socket.dev said in a report shared with Cyber Security News (CSN) that they discovered malicious JavaScript hidden inside a file called tailwind.js, bundled with the Packagist development version dev-drewroberts/feature/test-case of the PHP package roberts/leads.
The package itself belongs to a legitimate maintainer named Drew Roberts, suggesting either a branch-level compromise or a poisoned workflow injection rather than a wholly fabricated fake package.
The malware sits quietly inside what looks like a standard Tailwind CSS configuration file. The harmful code is tucked away far to the right of the screen, hidden behind a large block of blank space that keeps it invisible during casual code review.
Once that obfuscated code runs, it quietly transforms into a full JavaScript malware loader operating inside Node.js.
The fact that the malicious version is buried in a development branch is a telling sign.
Packagist dev versions require explicit installation commands, meaning victims would likely be directed to run a very specific command, the kind that fits naturally into a fake interview or developer onboarding task.
Famous Chollima appears to have designed this campaign to target one developer at a time rather than cause widespread, noisy infections.
Famous Chollima Hackers Target PHP Developers
The malicious loader inside tailwind.js does not work like ordinary malware that reaches out to a suspicious server.
Instead, it contacts public blockchain services, specifically TRON, Aptos, and BNB Smart Chain, to pull down encrypted payload data stored inside blockchain transaction records.
This dead-drop method means there is no traditional command-and-control domain to block, making detection much harder for standard security tools.
Packagist listed the affected roberts – leads dev branch as an installable version (Source – Socket.dev)
The loader uses hardcoded XOR keys to decrypt the material it retrieves and then runs the result directly inside Node.js using eval().
It can also quietly launch a second hidden process in the background using child_process.spawn() with the windowsHide flag set to true, keeping everything out of sight on Windows systems.
The campaign marker global[‘!’]=’9-0264-2′ embedded in the code is a known identifier tied to prior Famous Chollima operations, linking this directly to malware families including DEV#POPPER RAT, OmniStealer, and BeaverTail payloads.
Exfiltration Scope and What Developers Are at Risk
The local loader does not directly steal files on its own, but the remote payload it fetches can access nearly everything on the victim’s machine.
Once inside Node.js, the delivered malware can read environment variables holding cloud credentials and CI secrets, grab local files such as .env files and SSH keys, access stored tokens, and run additional processes.
The real damage sits inside the payload retrieved from the blockchain, not in the visible code itself.
Developers should treat any unfamiliar build instruction received during a job interview or remote task as a potential code execution event.
Before running any unknown PHP or JavaScript project, manually inspect files like tailwind.js, webpack.mix.js, vite.config.*, postcss.config.*, and .github/workflows.
Security teams should watch for Node.js processes connecting to blockchain or RPC services during build pipelines, and organizations should avoid exposing long-lived cloud credentials to branch-level builds.
Package consumers should always pin stable, known-good versions and avoid dev branches unless absolutely necessary. The affected Packagist version was reported and has since been removed following Socket’s disclosure.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionPackage Versiondev-drewroberts/feature/test-caseAffected Packagist dev version of roberts/leadsGitHub Branchdrewroberts/feature/test-caseMapped malicious GitHub branchFile Nametailwind.jsAffected file containing hidden malicious payloadBranch Commit6c5c3c7655ce76399af11126b7e9a9058eb2e45dObserved commit hash on affected branchURL package URLURL repository URLSHA-256522b28a2f78771715497ba53729d4ab9a50e982322c391379f3bddf7c8cb363fArchive hashSHA-25696afdba882046385242cbed46871e41147c8055c5d9eff7460847b2c01a77dc3tailwind.js file hashTRON WalletTMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAPFirst-stage TRON wallet used as dead-drop payload pointerTRON WalletTXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcGSecond-stage TRON wallet used as dead-drop payload pointerAptos Address0xbe037400670fbf1c32364f762975908dc43eeb38759263e7dfcdabc76380811eFirst-stage Aptos fallback identifierAptos Address0x3f0e5781d0855fb460661ac63257376db1941b2bb522499e4757ecb3ebd5dce3Second-stage Aptos fallback identifierXOR Key2[gWfGj;<:-93Z^CFirst-stage hardcoded XOR decryption keyXOR Keym6:tTh^D)cBz?NM]Second-stage hardcoded XOR decryption key
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Famous Chollima Hackers Target PHP Developers Using Compromised Packagist Package appeared first on Cyber Security News.
