Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Chollima Hackers Exploit PHP Developers via Packagist

Chollima Hackers Exploit PHP Developers via Packagist

Posted on June 1, 2026 By CWS

North Korean hackers, known as Famous Chollima, have been identified as embedding malware within a legitimate PHP package hosted on Packagist, the primary repository for PHP projects. This tactic specifically targets software developers, disguising the harmful payload as an ordinary configuration file, making it challenging to spot during routine development processes.

Intricate Tactics and Disguised Threats

Famous Chollima, a North Korean state-sponsored hacking group, has a notorious history of targeting developers. Initially, they infiltrated companies by posing as false employees. More recently, their methods have evolved to include creating deceptive job offers and developer tasks to entice engineers into executing malicious code unknowingly on their systems.

Security experts at Socket.dev revealed that malicious JavaScript was hidden within a file named tailwind.js, part of the development version dev-drewroberts/feature/test-case of the PHP package roberts/leads. This package is associated with a genuine maintainer, Drew Roberts, indicating either a compromise at the branch level or a manipulated workflow injection.

Advanced Malware Concealment Techniques

The malware is cleverly concealed within a file resembling a standard Tailwind CSS configuration, hidden behind extensive blank spaces to avoid detection during casual code reviews. Upon execution, it transforms into a comprehensive JavaScript malware loader within Node.js.

The malicious version’s presence in a development branch suggests victims might be instructed to execute specific commands, potentially during a fake interview or onboarding task, aligning with Famous Chollima’s strategy to target individual developers rather than causing widespread infections.

Utilizing Blockchain for Payload Delivery

Instead of connecting to suspicious servers, the malware loader in tailwind.js accesses public blockchain services such as TRON, Aptos, and BNB Smart Chain to retrieve encrypted payload data stored in blockchain transactions. This approach, which lacks a conventional command-and-control domain, complicates detection using standard security tools.

The loader employs hardcoded XOR keys to decrypt the retrieved data and executes the resultant code within Node.js using eval(). It can also initiate a hidden secondary process using child_process.spawn() with the windowsHide flag, ensuring it remains undetected on Windows systems.

Protective Measures and Key Insights for Developers

The local loader doesn’t directly steal files, but the remote payload it accesses can exploit nearly every aspect of the victim’s system, from reading environment variables containing cloud credentials to accessing local files and tokens. Developers should exercise caution with unfamiliar build instructions, particularly during job interviews or remote assignments. Thoroughly inspect files like tailwind.js, webpack.mix.js, vite.config.*, postcss.config.*, and .github/workflows before executing them.

Security teams should monitor Node.js processes that connect to blockchain or RPC services in build pipelines and avoid exposing long-lived cloud credentials to branch-level builds. Consumers are advised to pin known stable versions and refrain from using development branches unless necessary. The compromised Packagist version has been reported and removed following Socket’s disclosure.

For ongoing updates, follow us on Google News, LinkedIn, and X, and set CSN as a preferred news source on Google.

Cyber Security News Tags:Blockchain, blockchain malware, Chollima hackers, compromised packages, cyber threats, Cybersecurity, developer security, fake job offers, JavaScript loader, Malware, Node.js malware, Packagist attack, PHP security, software developers, Threat Actors

Post navigation

Previous Post: Critical Instagram AI Flaw Exposed by Researchers
Next Post: Phishing Threat Targets Signal Users for Backup Access

Related Posts

New PoC Exploit for Old PostgreSQL Vulnerability New PoC Exploit for Old PostgreSQL Vulnerability Cyber Security News
Multi-Stage Windows Malware Invokes PowerShell Downloader Using Text-based Payloads Using Remote Host Multi-Stage Windows Malware Invokes PowerShell Downloader Using Text-based Payloads Using Remote Host Cyber Security News
GitGuardian Ends 2025 with Strong Enterprise Momentum GitGuardian Ends 2025 with Strong Enterprise Momentum Cyber Security News
SparkKitty Malware Attacking iOS and Android Users to Steal Gallery Images SparkKitty Malware Attacking iOS and Android Users to Steal Gallery Images Cyber Security News
New PyStoreRAT Malware Targets IT and OSINT Experts New PyStoreRAT Malware Targets IT and OSINT Experts Cyber Security News
Top 10 Best Ransomware Protection Solutions In 2025 Top 10 Best Ransomware Protection Solutions In 2025 Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • New SharePoint Security Gap Exploited After Disclosure
  • CISA Highlights Exploited SharePoint Vulnerability
  • Coca-Cola Halts Fairlife Production Following Cyber Attack
  • 7-Zip Flaw Risks Remote Code Execution for Millions
  • Hackers Sentenced for Disrupting London Transport Systems

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • New SharePoint Security Gap Exploited After Disclosure
  • CISA Highlights Exploited SharePoint Vulnerability
  • Coca-Cola Halts Fairlife Production Following Cyber Attack
  • 7-Zip Flaw Risks Remote Code Execution for Millions
  • Hackers Sentenced for Disrupting London Transport Systems

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark