Famous Chollima Hackers Hide Malware in Legitimate Packagist Package to Target PHP Developers
North Korean threat group Famous Chollima compromised a legitimate PHP package on Packagist, hiding a JavaScript malware loader that retrieves encrypted payloads from blockchain transactions.
The North Korean state-sponsored hacking group Famous Chollima, also known as Lazarus, has been caught hiding malware inside a legitimate PHP package available through Packagist, the main package repository for PHP projects. The attack takes direct aim at software developers, disguising a dangerous payload as a routine configuration file. This kind of campaign blends in easily with normal development workflows, making it especially hard to detect before any damage is done.
Security researchers at Socket.dev discovered malicious JavaScript hidden inside a file called tailwind.js, bundled with the Packagist development version dev-drewroberts/feature/test-case of the PHP package roberts/leads. The package itself belongs to a legitimate maintainer named Drew Roberts, suggesting either a branch-level compromise or a poisoned workflow injection rather than a wholly fabricated fake package. The malware sits quietly inside what looks like a standard Tailwind CSS configuration file, with the harmful code tucked away far to the right of the screen, hidden behind a large block of blank space that keeps it invisible during casual code review.
Once the obfuscated code runs, it transforms into a full JavaScript malware loader operating inside Node.js. The malicious version is buried in a development branch, meaning victims would likely be directed to run a very specific command — the kind that fits naturally into a fake interview or developer onboarding task. Famous Chollima appears to have designed this campaign to target one developer at a time rather than cause widespread, noisy infections.
The malicious loader does not work like ordinary malware that reaches out to a suspicious server. Instead, it contacts public blockchain services — specifically TRON, Aptos, and BNB Smart Chain — to pull down encrypted payload data stored inside blockchain transaction records. This dead-drop method means there is no traditional command-and-control domain to block, making detection much harder for standard security tools. The loader uses hardcoded XOR keys to decrypt the material it retrieves and then runs the result directly inside Node.js using eval(). It can also quietly launch a second hidden process in the background using child_process.spawn() with the windowsHide flag set to true, keeping everything out of sight on Windows systems.
The campaign marker global['!']='9-0264-2' embedded in the code is a known identifier tied to prior Famous Chollima operations, linking this directly to malware families including DEV#POPPER RAT, OmniStealer, and BeaverTail payloads. While the local loader does not directly steal files on its own, the remote payload it fetches can access nearly everything on the victim's machine — including environment variables holding cloud credentials and CI secrets, local files such as .env files and SSH keys, stored tokens, and the ability to run additional processes.
Developers should treat any unfamiliar build instruction received during a job interview or remote task as a potential code execution event. Before running any unknown PHP or JavaScript project, manually inspect files like tailwind.js, webpack.mix.js, vite.config.*, postcss.config.*, and .github/workflows. Security teams should watch for Node.js processes connecting to blockchain or RPC services during build pipelines, and organizations should avoid exposing long-lived cloud credentials to branch-level builds. The affected Packagist version was reported and has since been removed following Socket's disclosure.