North Korean hackers, known as Famous Chollima, have been identified as embedding malware within a legitimate PHP package hosted on Packagist, the primary repository for PHP projects. This tactic specifically targets software developers, disguising the harmful payload as an ordinary configuration file, making it challenging to spot during routine development processes.
Intricate Tactics and Disguised Threats
Famous Chollima, a North Korean state-sponsored hacking group, has a notorious history of targeting developers. Initially, they infiltrated companies by posing as false employees. More recently, their methods have evolved to include creating deceptive job offers and developer tasks to entice engineers into executing malicious code unknowingly on their systems.
Security experts at Socket.dev revealed that malicious JavaScript was hidden within a file named tailwind.js, part of the development version dev-drewroberts/feature/test-case of the PHP package roberts/leads. This package is associated with a genuine maintainer, Drew Roberts, indicating either a compromise at the branch level or a manipulated workflow injection.
Advanced Malware Concealment Techniques
The malware is cleverly concealed within a file resembling a standard Tailwind CSS configuration, hidden behind extensive blank spaces to avoid detection during casual code reviews. Upon execution, it transforms into a comprehensive JavaScript malware loader within Node.js.
The malicious version’s presence in a development branch suggests victims might be instructed to execute specific commands, potentially during a fake interview or onboarding task, aligning with Famous Chollima’s strategy to target individual developers rather than causing widespread infections.
Utilizing Blockchain for Payload Delivery
Instead of connecting to suspicious servers, the malware loader in tailwind.js accesses public blockchain services such as TRON, Aptos, and BNB Smart Chain to retrieve encrypted payload data stored in blockchain transactions. This approach, which lacks a conventional command-and-control domain, complicates detection using standard security tools.
The loader employs hardcoded XOR keys to decrypt the retrieved data and executes the resultant code within Node.js using eval(). It can also initiate a hidden secondary process using child_process.spawn() with the windowsHide flag, ensuring it remains undetected on Windows systems.
Protective Measures and Key Insights for Developers
The local loader doesn’t directly steal files, but the remote payload it accesses can exploit nearly every aspect of the victim’s system, from reading environment variables containing cloud credentials to accessing local files and tokens. Developers should exercise caution with unfamiliar build instructions, particularly during job interviews or remote assignments. Thoroughly inspect files like tailwind.js, webpack.mix.js, vite.config.*, postcss.config.*, and .github/workflows before executing them.
Security teams should monitor Node.js processes that connect to blockchain or RPC services in build pipelines and avoid exposing long-lived cloud credentials to branch-level builds. Consumers are advised to pin known stable versions and refrain from using development branches unless necessary. The compromised Packagist version has been reported and removed following Socket’s disclosure.
For ongoing updates, follow us on Google News, LinkedIn, and X, and set CSN as a preferred news source on Google.
