A well-known North Korean threat actor has been caught hiding malware inside a legitimate PHP package available through Packagist, the main package repository for PHP projects.
The attack takes direct aim at software developers, disguising a dangerous payload as a routine configuration file. This kind of campaign blends in easily with normal development workflows, making it especially hard to detect before any damage is done.
The threat group behind this attack is known as Famous Chollima, a North Korean state-sponsored hacking crew with a long history of targeting developers.
They originally gained attention for sneaking operatives into companies as fake employees. More recently, they have turned that tactic around by creating fake job offers and developer tasks to trick engineers into running malicious code on their own machines.
Security researchers at Socket.dev said in a report shared with Cyber Security News (CSN) that they discovered malicious JavaScript hidden inside a file called tailwind.js, bundled with the Packagist development version dev-drewroberts/feature/test-case of the PHP package roberts/leads.
The package itself belongs to a legitimate maintainer named Drew Roberts, suggesting either a branch-level compromise or a poisoned workflow injection rather than a wholly fabricated fake package.
The malware sits quietly inside what looks like a standard Tailwind CSS configuration file. The harmful code is tucked away far to the right of the screen, hidden behind a large block of blank space that keeps it invisible during casual code review.
Once that obfuscated code runs, it quietly transforms into a full JavaScript malware loader operating inside Node.js.
The fact that the malicious version is buried in a development branch is a telling sign.
Packagist dev versions require explicit installation commands, meaning victims would likely be directed to run a very specific command, the kind that fits naturally into a fake interview or developer onboarding task.
Famous Chollima appears to have designed this campaign to target one developer at a time rather than cause widespread, noisy infections.
Famous Chollima Hackers Target PHP Developers
The malicious loader inside tailwind.js does not work like ordinary malware that reaches out to a suspicious server.
Instead, it contacts public blockchain services, specifically TRON, Aptos, and BNB Smart Chain, to pull down encrypted payload data stored inside blockchain transaction records.
This dead-drop method means there is no traditional command-and-control domain to block, making detection much harder for standard security tools.
The loader uses hardcoded XOR keys to decrypt the material it retrieves and then runs the result directly inside Node.js using eval().
It can also quietly launch a second hidden process in the background using child_process.spawn() with the windowsHide flag set to true, keeping everything out of sight on Windows systems.
The campaign marker global['!']='9-0264-2' embedded in the code is a known identifier tied to prior Famous Chollima operations, linking this directly to malware families including DEV#POPPER RAT, OmniStealer, and BeaverTail payloads.
Exfiltration Scope and What Developers Are at Risk
The local loader does not directly steal files on its own, but the remote payload it fetches can access nearly everything on the victim’s machine.
Once inside Node.js, the delivered malware can read environment variables holding cloud credentials and CI secrets, grab local files such as .env files and SSH keys, access stored tokens, and run additional processes.
The real damage sits inside the payload retrieved from the blockchain, not in the visible code itself.
Developers should treat any unfamiliar build instruction received during a job interview or remote task as a potential code execution event.
Before running any unknown PHP or JavaScript project, manually inspect files like tailwind.js, webpack.mix.js, vite.config.*, postcss.config.*, and .github/workflows.
Security teams should watch for Node.js processes connecting to blockchain or RPC services during build pipelines, and organizations should avoid exposing long-lived cloud credentials to branch-level builds.
Package consumers should always pin stable, known-good versions and avoid dev branches unless absolutely necessary. The affected Packagist version was reported and has since been removed following Socket’s disclosure.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Package Version | dev-drewroberts/feature/test-case |
Affected Packagist dev version of roberts/leads |
| GitHub Branch | drewroberts/feature/test-case |
Mapped malicious GitHub branch |
| File Name | tailwind.js |
Affected file containing hidden malicious payload |
| Branch Commit | 6c5c3c7655ce76399af11126b7e9a9058eb2e45d |
Observed commit hash on affected branch |
| URL | https://packagist.org/packages/roberts/leads |
Packagist package URL |
| URL | https://github.com/roberts/leads |
Affected repository URL |
| SHA-256 | 522b28a2f78771715497ba53729d4ab9a50e982322c391379f3bddf7c8cb363f |
Archive hash |
| SHA-256 | 96afdba882046385242cbed46871e41147c8055c5d9eff7460847b2c01a77dc3 |
tailwind.js file hash |
| TRON Wallet | TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP |
First-stage TRON wallet used as dead-drop payload pointer |
| TRON Wallet | TXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG |
Second-stage TRON wallet used as dead-drop payload pointer |
| Aptos Address | 0xbe037400670fbf1c32364f762975908dc43eeb38759263e7dfcdabc76380811e |
First-stage Aptos fallback identifier |
| Aptos Address | 0x3f0e5781d0855fb460661ac63257376db1941b2bb522499e4757ecb3ebd5dce3 |
Second-stage Aptos fallback identifier |
| XOR Key | 2[gWfGj;<:-93Z^C |
First-stage hardcoded XOR decryption key |
| XOR Key | m6:tTh^D)cBz?NM] |
Second-stage hardcoded XOR decryption key |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Click Here For The Original Source.
