{"id":13288,"date":"2026-06-01T10:03:49","date_gmt":"2026-06-01T10:03:49","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/06\/01\/famous-chollima-hackers-target-php-developers-using-compromised-packagist-package\/"},"modified":"2026-06-01T10:03:49","modified_gmt":"2026-06-01T10:03:49","slug":"famous-chollima-hackers-target-php-developers-using-compromised-packagist-package","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/06\/01\/famous-chollima-hackers-target-php-developers-using-compromised-packagist-package\/","title":{"rendered":"Famous Chollima Hackers Target PHP Developers Using Compromised Packagist Package"},"content":{"rendered":"<p>    Famous Chollima Hackers Target PHP Developers Using Compromised Packagist Package<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">A well-known North Korean threat actor has been caught hiding malware inside a legitimate PHP package available through Packagist, the main package repository for PHP projects. <\/p>\n<p class=\"wp-block-paragraph\">The attack takes direct aim at software developers, disguising a dangerous payload as a routine configuration file. This kind of campaign blends in easily with normal development workflows, making it especially hard to detect before any damage is done.<\/p>\n<p class=\"wp-block-paragraph\">The threat group behind this attack is known as Famous Chollima, a North Korean state-sponsored hacking crew with a long history of targeting developers. <\/p>\n<p class=\"wp-block-paragraph\">They originally gained attention for sneaking operatives into companies as fake employees. More recently, they have turned that tactic around by <a href=\"https:\/\/cybersecuritynews.com\/fake-crowdstrike-job-offers\/\" id=\"88172\" target=\"_blank\" rel=\"noreferrer noopener\">creating fake job offers and developer tasks to trick engineers<\/a> into running malicious code on their own machines.<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/socket.dev\/blog\/famous-chollima-targets-php-developers-through-compromised-packagist-package\" id=\"https:\/\/socket.dev\/blog\/famous-chollima-targets-php-developers-through-compromised-packagist-package\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Security researchers at\u00a0Socket.dev\u00a0said in a report<\/a> shared with Cyber Security News (CSN) that they discovered malicious JavaScript hidden inside a file called\u00a0<code>tailwind.js<\/code>, bundled with the Packagist development version\u00a0<code>dev-drewroberts\/feature\/test-case<\/code>\u00a0of the PHP package\u00a0<code>roberts\/leads<\/code>. <\/p>\n<p class=\"wp-block-paragraph\">The package itself belongs to a legitimate maintainer named Drew Roberts, suggesting either a branch-level compromise or a poisoned workflow injection rather than a wholly fabricated fake package.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/925cd2d4-f0f8-44bb-88f6-3a2600ab85f0\/Famous-Chollima-Hackers-Target-PHP-Developers-Using-Compromised-Packagist-Package.pdf?AWSAccessKeyId=ASIA2F3EMEYERWOEF3Z4&amp;Signature=qb2734tB6L9Xw4w2afl2kjm0AIM%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED4aCXVzLWVhc3QtMSJHMEUCIQDQ8OBUJm3J7RUGe4sEgQc2asvHvZN91EcPzxqaiAmlTAIgEDfgVjDwFNEUgFC%2BqwwxDjt19reVSudz7ZOqrBXkPBIq8wQIBxABGgw2OTk3NTMzMDk3MDUiDFnF9iDqJqWaKKv32CrQBB2k9e9XhPEcxdx%2FLg0dMM%2BpR3WEHHqXMUJEr7645Z2zPJrGLEIVMCEtldqY5SC2sOhPb5ruSSiC11xwDqbCtp0FMS5kq%2BI1BoNBaWE5CFOE%2BWMS02o51kBGAXYdqixU7qFl6lf03DGVkBOBW6T26uKLlMPbtXRy3EegKLvakSeisaMr0WXtw4z4d1Soegc4dhrAizwW4L8mvWTH%2BRpPLYug5jZht%2BE0exivFZ4zH7p7xVPSiwRzDz%2FfqD%2FNpolBz5Hh6N4uTU3mm7uy3WFsBCONIiElYKHtiXLi9oIwtmTgVNWuV%2BLVa%2Br1JBAtbfeIzJ52anzz4xxcqcZ0C1Igj0ABrn86nhOah8gEo9tOOzj1McqojqL7nI254EchTJ%2FC%2FsICrxyn93N9BFMKwHY4K9beK2OSwW7fsjhrB9OGm4MOP9bL9Rv4rPiqtk6NEPBwwJV0wBPpU3ygY8V%2B97Q5Jhz4ou1xdcNfVow9LIrDQ71jBye%2Fm2TShuMFYSvCh%2FlT03%2Fufzij0%2BFrRgNEuRp2k0aNe42AcDJPjveVDd1k0W84usCWX2owFyCdTtNs4SrVF%2Bl%2BjsFLzsQcBX0%2F3DqvOadOiU89Y%2BPI0neDfFPx4gFEy7vBVeO5%2FBiSQ3S84vFiP3C2ZxvV9YTcQ5y%2B4dLEXOOSJPTt0S01zgP2rculGt41EsiqES4%2BsCGcf%2BkvCVl8dpfcJRC%2F1MPRfJ8GLtKIX4Nrxhbvb11Nno5GAnT8DSEELUj2ZmMWKyQQMoz%2FBwBLoElaHXi0iqPLL%2Fd4XLx24yYwmbj00AY6mAFivla9jobJdbVzWMD%2FSESQTV9vdkAsy7UuwgYmUH7f53r9N40ozjJd7UEzQRKFHegvSrFQ1f3SmXQ2tLzv0SFYJH4prDt1AE%2B7oI%2BoCXRWSQrmE8wmsGTiaCo%2Bu87CSBCeDUjHs1TTsesfr1C%2BGlNFJGBJZeK2W2WRiWs5D8aMXqB8HgVr8KF5q8oOTSxkiSVPJRd%2BD8Jjsw%3D%3D&amp;Expires=1780293306\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The malware sits quietly inside what looks like a standard Tailwind CSS configuration file. The harmful code is tucked away far to the right of the screen, hidden behind a large block of blank space that keeps it invisible during casual code review. <\/p>\n<p class=\"wp-block-paragraph\">Once that obfuscated code runs, it quietly transforms into a full JavaScript malware loader operating inside Node.js.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/925cd2d4-f0f8-44bb-88f6-3a2600ab85f0\/Famous-Chollima-Hackers-Target-PHP-Developers-Using-Compromised-Packagist-Package.pdf?AWSAccessKeyId=ASIA2F3EMEYERWOEF3Z4&amp;Signature=qb2734tB6L9Xw4w2afl2kjm0AIM%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED4aCXVzLWVhc3QtMSJHMEUCIQDQ8OBUJm3J7RUGe4sEgQc2asvHvZN91EcPzxqaiAmlTAIgEDfgVjDwFNEUgFC%2BqwwxDjt19reVSudz7ZOqrBXkPBIq8wQIBxABGgw2OTk3NTMzMDk3MDUiDFnF9iDqJqWaKKv32CrQBB2k9e9XhPEcxdx%2FLg0dMM%2BpR3WEHHqXMUJEr7645Z2zPJrGLEIVMCEtldqY5SC2sOhPb5ruSSiC11xwDqbCtp0FMS5kq%2BI1BoNBaWE5CFOE%2BWMS02o51kBGAXYdqixU7qFl6lf03DGVkBOBW6T26uKLlMPbtXRy3EegKLvakSeisaMr0WXtw4z4d1Soegc4dhrAizwW4L8mvWTH%2BRpPLYug5jZht%2BE0exivFZ4zH7p7xVPSiwRzDz%2FfqD%2FNpolBz5Hh6N4uTU3mm7uy3WFsBCONIiElYKHtiXLi9oIwtmTgVNWuV%2BLVa%2Br1JBAtbfeIzJ52anzz4xxcqcZ0C1Igj0ABrn86nhOah8gEo9tOOzj1McqojqL7nI254EchTJ%2FC%2FsICrxyn93N9BFMKwHY4K9beK2OSwW7fsjhrB9OGm4MOP9bL9Rv4rPiqtk6NEPBwwJV0wBPpU3ygY8V%2B97Q5Jhz4ou1xdcNfVow9LIrDQ71jBye%2Fm2TShuMFYSvCh%2FlT03%2Fufzij0%2BFrRgNEuRp2k0aNe42AcDJPjveVDd1k0W84usCWX2owFyCdTtNs4SrVF%2Bl%2BjsFLzsQcBX0%2F3DqvOadOiU89Y%2BPI0neDfFPx4gFEy7vBVeO5%2FBiSQ3S84vFiP3C2ZxvV9YTcQ5y%2B4dLEXOOSJPTt0S01zgP2rculGt41EsiqES4%2BsCGcf%2BkvCVl8dpfcJRC%2F1MPRfJ8GLtKIX4Nrxhbvb11Nno5GAnT8DSEELUj2ZmMWKyQQMoz%2FBwBLoElaHXi0iqPLL%2Fd4XLx24yYwmbj00AY6mAFivla9jobJdbVzWMD%2FSESQTV9vdkAsy7UuwgYmUH7f53r9N40ozjJd7UEzQRKFHegvSrFQ1f3SmXQ2tLzv0SFYJH4prDt1AE%2B7oI%2BoCXRWSQrmE8wmsGTiaCo%2Bu87CSBCeDUjHs1TTsesfr1C%2BGlNFJGBJZeK2W2WRiWs5D8aMXqB8HgVr8KF5q8oOTSxkiSVPJRd%2BD8Jjsw%3D%3D&amp;Expires=1780293306\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The fact that the malicious version is buried in a development branch is a telling sign. <\/p>\n<p class=\"wp-block-paragraph\">Packagist dev versions require explicit installation commands, meaning victims would likely be directed to run a very specific command, the kind that fits naturally into a fake interview or developer onboarding task. <\/p>\n<p class=\"wp-block-paragraph\">Famous Chollima appears to have designed this campaign to target one developer at a time rather than cause widespread, noisy infections.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/925cd2d4-f0f8-44bb-88f6-3a2600ab85f0\/Famous-Chollima-Hackers-Target-PHP-Developers-Using-Compromised-Packagist-Package.pdf?AWSAccessKeyId=ASIA2F3EMEYERWOEF3Z4&amp;Signature=qb2734tB6L9Xw4w2afl2kjm0AIM%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED4aCXVzLWVhc3QtMSJHMEUCIQDQ8OBUJm3J7RUGe4sEgQc2asvHvZN91EcPzxqaiAmlTAIgEDfgVjDwFNEUgFC%2BqwwxDjt19reVSudz7ZOqrBXkPBIq8wQIBxABGgw2OTk3NTMzMDk3MDUiDFnF9iDqJqWaKKv32CrQBB2k9e9XhPEcxdx%2FLg0dMM%2BpR3WEHHqXMUJEr7645Z2zPJrGLEIVMCEtldqY5SC2sOhPb5ruSSiC11xwDqbCtp0FMS5kq%2BI1BoNBaWE5CFOE%2BWMS02o51kBGAXYdqixU7qFl6lf03DGVkBOBW6T26uKLlMPbtXRy3EegKLvakSeisaMr0WXtw4z4d1Soegc4dhrAizwW4L8mvWTH%2BRpPLYug5jZht%2BE0exivFZ4zH7p7xVPSiwRzDz%2FfqD%2FNpolBz5Hh6N4uTU3mm7uy3WFsBCONIiElYKHtiXLi9oIwtmTgVNWuV%2BLVa%2Br1JBAtbfeIzJ52anzz4xxcqcZ0C1Igj0ABrn86nhOah8gEo9tOOzj1McqojqL7nI254EchTJ%2FC%2FsICrxyn93N9BFMKwHY4K9beK2OSwW7fsjhrB9OGm4MOP9bL9Rv4rPiqtk6NEPBwwJV0wBPpU3ygY8V%2B97Q5Jhz4ou1xdcNfVow9LIrDQ71jBye%2Fm2TShuMFYSvCh%2FlT03%2Fufzij0%2BFrRgNEuRp2k0aNe42AcDJPjveVDd1k0W84usCWX2owFyCdTtNs4SrVF%2Bl%2BjsFLzsQcBX0%2F3DqvOadOiU89Y%2BPI0neDfFPx4gFEy7vBVeO5%2FBiSQ3S84vFiP3C2ZxvV9YTcQ5y%2B4dLEXOOSJPTt0S01zgP2rculGt41EsiqES4%2BsCGcf%2BkvCVl8dpfcJRC%2F1MPRfJ8GLtKIX4Nrxhbvb11Nno5GAnT8DSEELUj2ZmMWKyQQMoz%2FBwBLoElaHXi0iqPLL%2Fd4XLx24yYwmbj00AY6mAFivla9jobJdbVzWMD%2FSESQTV9vdkAsy7UuwgYmUH7f53r9N40ozjJd7UEzQRKFHegvSrFQ1f3SmXQ2tLzv0SFYJH4prDt1AE%2B7oI%2BoCXRWSQrmE8wmsGTiaCo%2Bu87CSBCeDUjHs1TTsesfr1C%2BGlNFJGBJZeK2W2WRiWs5D8aMXqB8HgVr8KF5q8oOTSxkiSVPJRd%2BD8Jjsw%3D%3D&amp;Expires=1780293306\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-famous-chollima-hackers-target-php-developers\" class=\"wp-block-heading\"><strong>Famous Chollima Hackers Target PHP Developers<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The malicious loader inside\u00a0<code>tailwind.js<\/code>\u00a0does not work like ordinary malware that reaches out to a suspicious server. <\/p>\n<p class=\"wp-block-paragraph\">Instead, it <a href=\"https:\/\/cybersecuritynews.com\/blockchain-for-cybersecurity\/\" id=\"108225\" target=\"_blank\" rel=\"noreferrer noopener\">contacts public blockchain services, specifically TRON<\/a>, Aptos, and BNB Smart Chain, to pull down encrypted payload data stored inside blockchain transaction records. <\/p>\n<p class=\"wp-block-paragraph\">This dead-drop method means there is no traditional command-and-control domain to block, making detection much harder for standard security tools.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiU3KuZA_LLNR_ERix8h2K87rM63BQFP0oVa87I3RckmcFAZ6ue17huOUfTCPY88XUcXI_PAUoh5QkLqtCRjqTTe1WRYbNk643zkNegOZLRn3kMl25R7hv5nvyIkpP0rGh_iEi339Npa9rc5_-JwuEVLBNiQJbMey9-K0TnsWcPeGRXCzadKrMO8USHxOc\/s16000\/Packagist%2520listed%2520the%2520affected%2520roberts%2520-%2520leads%2520dev%2520branch%2520as%2520an%2520installable%2520version%2520%28Source%2520-%2520Socket.dev%29.webp?ssl=1\" alt=\"Packagist listed the affected roberts - leads dev branch as an installable version (Source - Socket.dev)\"><figcaption class=\"wp-element-caption\">Packagist listed the affected roberts \u2013 leads dev branch as an installable version (Source \u2013 Socket.dev)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">The loader uses hardcoded XOR keys to decrypt the material it retrieves and then runs the result directly inside Node.js using\u00a0<code>eval()<\/code>. <\/p>\n<p class=\"wp-block-paragraph\">It can also quietly launch a second hidden process in the background using\u00a0<code>child_process.spawn()<\/code>\u00a0with the\u00a0<code>windowsHide<\/code>\u00a0flag set to true, keeping everything out of sight on Windows systems. <\/p>\n<p class=\"wp-block-paragraph\">The campaign marker\u00a0<code>global['!']='9-0264-2'<\/code>\u00a0embedded in the code is a known identifier tied to prior Famous Chollima operations, linking this directly to malware families including DEV#POPPER RAT, OmniStealer, and BeaverTail payloads.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/925cd2d4-f0f8-44bb-88f6-3a2600ab85f0\/Famous-Chollima-Hackers-Target-PHP-Developers-Using-Compromised-Packagist-Package.pdf?AWSAccessKeyId=ASIA2F3EMEYERWOEF3Z4&amp;Signature=qb2734tB6L9Xw4w2afl2kjm0AIM%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED4aCXVzLWVhc3QtMSJHMEUCIQDQ8OBUJm3J7RUGe4sEgQc2asvHvZN91EcPzxqaiAmlTAIgEDfgVjDwFNEUgFC%2BqwwxDjt19reVSudz7ZOqrBXkPBIq8wQIBxABGgw2OTk3NTMzMDk3MDUiDFnF9iDqJqWaKKv32CrQBB2k9e9XhPEcxdx%2FLg0dMM%2BpR3WEHHqXMUJEr7645Z2zPJrGLEIVMCEtldqY5SC2sOhPb5ruSSiC11xwDqbCtp0FMS5kq%2BI1BoNBaWE5CFOE%2BWMS02o51kBGAXYdqixU7qFl6lf03DGVkBOBW6T26uKLlMPbtXRy3EegKLvakSeisaMr0WXtw4z4d1Soegc4dhrAizwW4L8mvWTH%2BRpPLYug5jZht%2BE0exivFZ4zH7p7xVPSiwRzDz%2FfqD%2FNpolBz5Hh6N4uTU3mm7uy3WFsBCONIiElYKHtiXLi9oIwtmTgVNWuV%2BLVa%2Br1JBAtbfeIzJ52anzz4xxcqcZ0C1Igj0ABrn86nhOah8gEo9tOOzj1McqojqL7nI254EchTJ%2FC%2FsICrxyn93N9BFMKwHY4K9beK2OSwW7fsjhrB9OGm4MOP9bL9Rv4rPiqtk6NEPBwwJV0wBPpU3ygY8V%2B97Q5Jhz4ou1xdcNfVow9LIrDQ71jBye%2Fm2TShuMFYSvCh%2FlT03%2Fufzij0%2BFrRgNEuRp2k0aNe42AcDJPjveVDd1k0W84usCWX2owFyCdTtNs4SrVF%2Bl%2BjsFLzsQcBX0%2F3DqvOadOiU89Y%2BPI0neDfFPx4gFEy7vBVeO5%2FBiSQ3S84vFiP3C2ZxvV9YTcQ5y%2B4dLEXOOSJPTt0S01zgP2rculGt41EsiqES4%2BsCGcf%2BkvCVl8dpfcJRC%2F1MPRfJ8GLtKIX4Nrxhbvb11Nno5GAnT8DSEELUj2ZmMWKyQQMoz%2FBwBLoElaHXi0iqPLL%2Fd4XLx24yYwmbj00AY6mAFivla9jobJdbVzWMD%2FSESQTV9vdkAsy7UuwgYmUH7f53r9N40ozjJd7UEzQRKFHegvSrFQ1f3SmXQ2tLzv0SFYJH4prDt1AE%2B7oI%2BoCXRWSQrmE8wmsGTiaCo%2Bu87CSBCeDUjHs1TTsesfr1C%2BGlNFJGBJZeK2W2WRiWs5D8aMXqB8HgVr8KF5q8oOTSxkiSVPJRd%2BD8Jjsw%3D%3D&amp;Expires=1780293306\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-exfiltration-scope-and-what-developers-are-at-risk\" class=\"wp-block-heading\"><strong>Exfiltration Scope and What Developers Are at Risk<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The local loader does not directly steal files on its own, but the remote payload it fetches can access nearly everything on the victim\u2019s machine. <\/p>\n<p class=\"wp-block-paragraph\">Once inside Node.js, the delivered malware can read environment variables holding cloud credentials and CI secrets, grab local files such as\u00a0<code>.env<\/code>\u00a0files and SSH keys, access stored tokens, and run additional processes. <\/p>\n<p class=\"wp-block-paragraph\">The real damage sits inside the payload retrieved from the blockchain, not in the visible code itself.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/925cd2d4-f0f8-44bb-88f6-3a2600ab85f0\/Famous-Chollima-Hackers-Target-PHP-Developers-Using-Compromised-Packagist-Package.pdf?AWSAccessKeyId=ASIA2F3EMEYERWOEF3Z4&amp;Signature=qb2734tB6L9Xw4w2afl2kjm0AIM%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED4aCXVzLWVhc3QtMSJHMEUCIQDQ8OBUJm3J7RUGe4sEgQc2asvHvZN91EcPzxqaiAmlTAIgEDfgVjDwFNEUgFC%2BqwwxDjt19reVSudz7ZOqrBXkPBIq8wQIBxABGgw2OTk3NTMzMDk3MDUiDFnF9iDqJqWaKKv32CrQBB2k9e9XhPEcxdx%2FLg0dMM%2BpR3WEHHqXMUJEr7645Z2zPJrGLEIVMCEtldqY5SC2sOhPb5ruSSiC11xwDqbCtp0FMS5kq%2BI1BoNBaWE5CFOE%2BWMS02o51kBGAXYdqixU7qFl6lf03DGVkBOBW6T26uKLlMPbtXRy3EegKLvakSeisaMr0WXtw4z4d1Soegc4dhrAizwW4L8mvWTH%2BRpPLYug5jZht%2BE0exivFZ4zH7p7xVPSiwRzDz%2FfqD%2FNpolBz5Hh6N4uTU3mm7uy3WFsBCONIiElYKHtiXLi9oIwtmTgVNWuV%2BLVa%2Br1JBAtbfeIzJ52anzz4xxcqcZ0C1Igj0ABrn86nhOah8gEo9tOOzj1McqojqL7nI254EchTJ%2FC%2FsICrxyn93N9BFMKwHY4K9beK2OSwW7fsjhrB9OGm4MOP9bL9Rv4rPiqtk6NEPBwwJV0wBPpU3ygY8V%2B97Q5Jhz4ou1xdcNfVow9LIrDQ71jBye%2Fm2TShuMFYSvCh%2FlT03%2Fufzij0%2BFrRgNEuRp2k0aNe42AcDJPjveVDd1k0W84usCWX2owFyCdTtNs4SrVF%2Bl%2BjsFLzsQcBX0%2F3DqvOadOiU89Y%2BPI0neDfFPx4gFEy7vBVeO5%2FBiSQ3S84vFiP3C2ZxvV9YTcQ5y%2B4dLEXOOSJPTt0S01zgP2rculGt41EsiqES4%2BsCGcf%2BkvCVl8dpfcJRC%2F1MPRfJ8GLtKIX4Nrxhbvb11Nno5GAnT8DSEELUj2ZmMWKyQQMoz%2FBwBLoElaHXi0iqPLL%2Fd4XLx24yYwmbj00AY6mAFivla9jobJdbVzWMD%2FSESQTV9vdkAsy7UuwgYmUH7f53r9N40ozjJd7UEzQRKFHegvSrFQ1f3SmXQ2tLzv0SFYJH4prDt1AE%2B7oI%2BoCXRWSQrmE8wmsGTiaCo%2Bu87CSBCeDUjHs1TTsesfr1C%2BGlNFJGBJZeK2W2WRiWs5D8aMXqB8HgVr8KF5q8oOTSxkiSVPJRd%2BD8Jjsw%3D%3D&amp;Expires=1780293306\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Developers should treat any unfamiliar build instruction received during a job interview or remote task as a potential code execution event. <\/p>\n<p class=\"wp-block-paragraph\">Before running any unknown PHP or JavaScript project, manually inspect files like\u00a0<code>tailwind.js<\/code>,\u00a0<code>webpack.mix.js<\/code>,\u00a0<code>vite.config.*<\/code>,\u00a0<code>postcss.config.*<\/code>, and\u00a0<code>.github\/workflows<\/code>. <\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/cybersecuritynews.com\/security-teams-shrink-as-automation-rises\/\" id=\"100650\" target=\"_blank\" rel=\"noreferrer noopener\">Security teams should watch for Node.js processes<\/a> connecting to blockchain or RPC services during build pipelines, and organizations should avoid exposing long-lived cloud credentials to branch-level builds. <\/p>\n<p class=\"wp-block-paragraph\">Package consumers should always pin stable, known-good versions and avoid dev branches unless absolutely necessary. The affected Packagist version was reported and has since been removed following Socket\u2019s disclosure.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/925cd2d4-f0f8-44bb-88f6-3a2600ab85f0\/Famous-Chollima-Hackers-Target-PHP-Developers-Using-Compromised-Packagist-Package.pdf?AWSAccessKeyId=ASIA2F3EMEYERWOEF3Z4&amp;Signature=qb2734tB6L9Xw4w2afl2kjm0AIM%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED4aCXVzLWVhc3QtMSJHMEUCIQDQ8OBUJm3J7RUGe4sEgQc2asvHvZN91EcPzxqaiAmlTAIgEDfgVjDwFNEUgFC%2BqwwxDjt19reVSudz7ZOqrBXkPBIq8wQIBxABGgw2OTk3NTMzMDk3MDUiDFnF9iDqJqWaKKv32CrQBB2k9e9XhPEcxdx%2FLg0dMM%2BpR3WEHHqXMUJEr7645Z2zPJrGLEIVMCEtldqY5SC2sOhPb5ruSSiC11xwDqbCtp0FMS5kq%2BI1BoNBaWE5CFOE%2BWMS02o51kBGAXYdqixU7qFl6lf03DGVkBOBW6T26uKLlMPbtXRy3EegKLvakSeisaMr0WXtw4z4d1Soegc4dhrAizwW4L8mvWTH%2BRpPLYug5jZht%2BE0exivFZ4zH7p7xVPSiwRzDz%2FfqD%2FNpolBz5Hh6N4uTU3mm7uy3WFsBCONIiElYKHtiXLi9oIwtmTgVNWuV%2BLVa%2Br1JBAtbfeIzJ52anzz4xxcqcZ0C1Igj0ABrn86nhOah8gEo9tOOzj1McqojqL7nI254EchTJ%2FC%2FsICrxyn93N9BFMKwHY4K9beK2OSwW7fsjhrB9OGm4MOP9bL9Rv4rPiqtk6NEPBwwJV0wBPpU3ygY8V%2B97Q5Jhz4ou1xdcNfVow9LIrDQ71jBye%2Fm2TShuMFYSvCh%2FlT03%2Fufzij0%2BFrRgNEuRp2k0aNe42AcDJPjveVDd1k0W84usCWX2owFyCdTtNs4SrVF%2Bl%2BjsFLzsQcBX0%2F3DqvOadOiU89Y%2BPI0neDfFPx4gFEy7vBVeO5%2FBiSQ3S84vFiP3C2ZxvV9YTcQ5y%2B4dLEXOOSJPTt0S01zgP2rculGt41EsiqES4%2BsCGcf%2BkvCVl8dpfcJRC%2F1MPRfJ8GLtKIX4Nrxhbvb11Nno5GAnT8DSEELUj2ZmMWKyQQMoz%2FBwBLoElaHXi0iqPLL%2Fd4XLx24yYwmbj00AY6mAFivla9jobJdbVzWMD%2FSESQTV9vdkAsy7UuwgYmUH7f53r9N40ozjJd7UEzQRKFHegvSrFQ1f3SmXQ2tLzv0SFYJH4prDt1AE%2B7oI%2BoCXRWSQrmE8wmsGTiaCo%2Bu87CSBCeDUjHs1TTsesfr1C%2BGlNFJGBJZeK2W2WRiWs5D8aMXqB8HgVr8KF5q8oOTSxkiSVPJRd%2BD8Jjsw%3D%3D&amp;Expires=1780293306\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\" id=\"h-indicators-of-compromise-iocs\"><strong>Indicators of Compromise (IoCs):-<\/strong><\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Type<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Indicator<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Package Version<\/td>\n<td><code>dev-drewroberts\/feature\/test-case<\/code><\/td>\n<td>Affected Packagist dev version of\u00a0<code>roberts\/leads<\/code>\n<\/td>\n<\/tr>\n<tr>\n<td>GitHub Branch<\/td>\n<td><code>drewroberts\/feature\/test-case<\/code><\/td>\n<td>Mapped malicious GitHub branch<\/td>\n<\/tr>\n<tr>\n<td>File Name<\/td>\n<td><code>tailwind.js<\/code><\/td>\n<td>Affected file containing hidden malicious payload<\/td>\n<\/tr>\n<tr>\n<td>Branch Commit<\/td>\n<td><code>6c5c3c7655ce76399af11126b7e9a9058eb2e45d<\/code><\/td>\n<td>Observed commit hash on affected branch<\/td>\n<\/tr>\n<tr>\n<td>URL<\/td>\n<td><code>https:\/\/packagist.org\/packages\/roberts\/leads<\/code><\/td>\n<td>Packagist package URL<\/td>\n<\/tr>\n<tr>\n<td>URL<\/td>\n<td><code>https:\/\/github.com\/roberts\/leads<\/code><\/td>\n<td>Affected repository URL<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td><code>522b28a2f78771715497ba53729d4ab9a50e982322c391379f3bddf7c8cb363f<\/code><\/td>\n<td>Archive hash<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td><code>96afdba882046385242cbed46871e41147c8055c5d9eff7460847b2c01a77dc3<\/code><\/td>\n<td>\n<code>tailwind.js<\/code>\u00a0file hash<\/td>\n<\/tr>\n<tr>\n<td>TRON Wallet<\/td>\n<td><code>TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP<\/code><\/td>\n<td>First-stage TRON wallet used as dead-drop payload pointer<\/td>\n<\/tr>\n<tr>\n<td>TRON Wallet<\/td>\n<td><code>TXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG<\/code><\/td>\n<td>Second-stage TRON wallet used as dead-drop payload pointer<\/td>\n<\/tr>\n<tr>\n<td>Aptos Address<\/td>\n<td><code>0xbe037400670fbf1c32364f762975908dc43eeb38759263e7dfcdabc76380811e<\/code><\/td>\n<td>First-stage Aptos fallback identifier<\/td>\n<\/tr>\n<tr>\n<td>Aptos Address<\/td>\n<td><code>0x3f0e5781d0855fb460661ac63257376db1941b2bb522499e4757ecb3ebd5dce3<\/code><\/td>\n<td>Second-stage Aptos fallback identifier<\/td>\n<\/tr>\n<tr>\n<td>XOR Key<\/td>\n<td><code>2[gWfGj;&lt;:-93Z^C<\/code><\/td>\n<td>First-stage hardcoded XOR decryption key<\/td>\n<\/tr>\n<tr>\n<td>XOR Key<\/td>\n<td><code>m6:tTh^D)cBz?NM]<\/code><\/td>\n<td>Second-stage hardcoded XOR decryption key<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\"><strong>Note:<\/strong>\u00a0<em>IP addresses and domains are intentionally defanged (e.g.,\u00a0<\/em><code><em>[.]<\/em><\/code><em>) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM<\/em>.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 90%,rgb(169,184,195) 100%)\"><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong> <strong><strong><a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener\">Google<\/a><\/strong><\/strong>.<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/famous-chollima-hackers-target-php-developers\/\">Famous Chollima Hackers Target PHP Developers Using Compromised Packagist Package<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/famous-chollima-hackers-target-php-developers\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Famous Chollima Hackers Target PHP Developers Using Compromised Packagist Package A well-known North Korean threat actor has been caught hiding malware inside a legitimate PHP package available through Packagist, the main package repository for PHP projects. The attack takes direct aim at software developers, disguising a dangerous payload as a routine configuration file. This kind [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-13288","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13288"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=13288"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13288\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=13288"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=13288"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=13288"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}