Famous Chollima Hackers Hid Malware In Packagist Package To Target PHP Developers
6 min. read 
Published on
Security researchers have linked a compromised PHP package workflow to Famous Chollima, a North Korea-linked threat actor known for targeting software developers through fake jobs, test projects, and trusted development tools.
The campaign involved malicious JavaScript hidden inside a Packagist-listed development version of the legitimate Laravel package roberts/leads. Socket said its researchers found the payload appended to a file named tailwind.js in the dev-drewroberts/feature/test-case version, which mapped to a GitHub branch named drewroberts/feature/test-case.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The attack did not rely on a fake package built from scratch. Instead, the malicious code appeared inside a development branch connected to the public roberts/leads GitHub repository, while the package’s Packagist listing has since been removed or made unavailable after disclosure.
How The Packagist Attack Worked
According to Socket’s research, the malicious JavaScript was hidden after what looked like a normal Tailwind CSS configuration. The code sat far to the right after a large blank space, making it easy to miss during a quick code review.
Once executed, the hidden code acted as a JavaScript loader inside Node.js. It reached out to public blockchain and RPC infrastructure, including TRON, Aptos, and BNB Smart Chain services, to retrieve encrypted payload material.
The loader then used hardcoded XOR keys to decrypt the next stage and executed it through Node.js. Socket said this design allowed the attacker to change the remote payload without changing the poisoned package branch.
| Item | Details |
|---|---|
| Threat actor | Famous Chollima, linked to North Korea |
| Affected package | roberts/leads |
| Affected version | dev-drewroberts/feature/test-case |
| Affected file | tailwind.js |
| Technique | Hidden JavaScript loader using blockchain services as a dead drop |
| Likely target | Individual developers, especially through interview or task-based lures |
Why Researchers Suspect A Targeted Developer Lure
The malicious code was found in a development version, not in the stable release line. That detail matters because dev branches normally require more specific installation instructions or relaxed stability settings. This reduces the chance of accidental mass installation but fits a targeted lure.
A developer could receive a task during a fake interview and be told to clone a repository or install a specific dev branch. The project would look familiar because it came from a legitimate package and the public GitHub project still appeared to be a normal Laravel package.
This pattern matches the broader Contagious Interview tradecraft described by Microsoft’s threat intelligence team, where attackers pose as recruiters and push developers to run malicious code during a supposed job interview or coding test.
What Famous Chollima Is Known For
CrowdStrike’s Famous Chollima profile tracks the group as a North Korea-linked adversary active since at least 2018. CrowdStrike says the actor has focused on getting freelance or full-time work that can generate income for North Korea, while also deploying malware families such as BeaverTail and InvisibleFerret.
That background helps explain why developer-focused package attacks carry more risk than a normal dependency issue. A compromised developer system can expose source code, SSH keys, cloud credentials, package tokens, CI secrets, and access to private company repositories.
Socket said the visible loader did not directly steal data by itself. Instead, it retrieved and ran remote JavaScript. Once that remote payload runs inside Node.js, it can access environment variables, local files, Git metadata, credentials available to the process, and child process execution.
Blockchain Dead Drops Made Detection Harder
The campaign avoided a traditional command-and-control domain in the first visible stage. Instead, the loader used public blockchain services to retrieve payload pointers and encrypted data.
This technique complicates blocking because security teams may not see a suspicious attacker-controlled domain. They may only see Node.js reaching out to blockchain or RPC endpoints during what looks like a normal development workflow.
In its analysis, Socket also noted overlaps with earlier DPRK-linked malware activity, including DEV#POPPER RAT, OmniStealer, and BeaverTail-family payloads reported in related campaigns.
- Watch for Node.js processes contacting TRON, Aptos, or BNB Smart Chain RPC services during builds.
- Review unusual changes in configuration files such as tailwind.js, vite.config.*, webpack.mix.js, and postcss.config.*.
- Block or alert on build-time access to blockchain endpoints where it has no business purpose.
- Rotate credentials if a developer ran the affected branch or an unknown interview task.
- Avoid exposing long-lived cloud credentials to local builds or branch-level automation.
What Developers And Maintainers Should Do
Developers should treat unfamiliar build steps as code execution, especially during hiring tasks, freelance requests, or recruiter-led assignments. Any instruction to install a specific dev branch deserves extra review before running Composer, npm, Node.js, or framework setup commands.
Maintainers should review branch protection rules, personal access tokens, OAuth apps, Packagist webhooks, deploy keys, and collaborator permissions. The affected Packagist package page no longer appears publicly available, but teams that previously installed the dev branch should still audit local and CI environments.
The safest response includes credential rotation and repository review. Security teams should search for the affected tailwind.js hash, the campaign marker, blockchain endpoints, and any unusual Node.js execution in developer machines or CI logs.
Important Indicators To Check
| Type | Indicator |
|---|---|
| Affected version | dev-drewroberts/feature/test-case |
| Mapped branch | drewroberts/feature/test-case |
| Affected file | tailwind.js |
| Observed commit | 6c5c3c7655ce76399af11126b7e9a9058eb2e45d |
| Archive SHA-256 | 522b28a2f78771715497ba53729d4ab9a50e982322c391379f3bddf7c8cb363f |
| tailwind.js SHA-256 | 96afdba882046385242cbed46871e41147c8055c5d9eff7460847b2c01a77dc3 |
| Campaign marker | global[‘!’]=’9-0264-2′ |
The main lesson is clear: trusted package ecosystems can still become delivery paths for targeted malware. Developers should not assume a package is safe only because it comes from a familiar platform or a real repository.
The campaign also shows how North Korea-linked actors continue to adapt their developer targeting. Microsoft has described fake developer interviews as an active malware delivery route, and CrowdStrike continues to track Famous Chollima as a state-sponsored actor with a financial objective.
For PHP teams, the practical takeaway is to avoid running unfamiliar dev branches, review configuration files before build execution, and keep secrets out of local and CI environments wherever possible.
FAQ
Researchers said the attack affected a Packagist-listed development version of the Laravel package roberts/leads, specifically dev-drewroberts/feature/test-case.
Yes. Socket said it reported the affected version to Packagist’s security team, and the malicious version was removed after review.
The malicious JavaScript was appended to a file named tailwind.js after a large whitespace gap. This made the code harder to notice during casual review.
The payload ran through Node.js and could retrieve remote malware. Once active, the delivered payload could access environment variables, secrets, local files, Git metadata, and developer credentials available on the machine.
Developers should avoid running unfamiliar dev branches, inspect build and configuration files before execution, keep credentials out of local builds, and treat interview coding tasks as potential code execution events.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages