Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Chollima Hackers Exploit PHP Developers via Packagist

Chollima Hackers Exploit PHP Developers via Packagist

Posted on June 1, 2026 By CWS

North Korean hackers, known as Famous Chollima, have been identified as embedding malware within a legitimate PHP package hosted on Packagist, the primary repository for PHP projects. This tactic specifically targets software developers, disguising the harmful payload as an ordinary configuration file, making it challenging to spot during routine development processes.

Intricate Tactics and Disguised Threats

Famous Chollima, a North Korean state-sponsored hacking group, has a notorious history of targeting developers. Initially, they infiltrated companies by posing as false employees. More recently, their methods have evolved to include creating deceptive job offers and developer tasks to entice engineers into executing malicious code unknowingly on their systems.

Security experts at Socket.dev revealed that malicious JavaScript was hidden within a file named tailwind.js, part of the development version dev-drewroberts/feature/test-case of the PHP package roberts/leads. This package is associated with a genuine maintainer, Drew Roberts, indicating either a compromise at the branch level or a manipulated workflow injection.

Advanced Malware Concealment Techniques

The malware is cleverly concealed within a file resembling a standard Tailwind CSS configuration, hidden behind extensive blank spaces to avoid detection during casual code reviews. Upon execution, it transforms into a comprehensive JavaScript malware loader within Node.js.

The malicious version’s presence in a development branch suggests victims might be instructed to execute specific commands, potentially during a fake interview or onboarding task, aligning with Famous Chollima’s strategy to target individual developers rather than causing widespread infections.

Utilizing Blockchain for Payload Delivery

Instead of connecting to suspicious servers, the malware loader in tailwind.js accesses public blockchain services such as TRON, Aptos, and BNB Smart Chain to retrieve encrypted payload data stored in blockchain transactions. This approach, which lacks a conventional command-and-control domain, complicates detection using standard security tools.

The loader employs hardcoded XOR keys to decrypt the retrieved data and executes the resultant code within Node.js using eval(). It can also initiate a hidden secondary process using child_process.spawn() with the windowsHide flag, ensuring it remains undetected on Windows systems.

Protective Measures and Key Insights for Developers

The local loader doesn’t directly steal files, but the remote payload it accesses can exploit nearly every aspect of the victim’s system, from reading environment variables containing cloud credentials to accessing local files and tokens. Developers should exercise caution with unfamiliar build instructions, particularly during job interviews or remote assignments. Thoroughly inspect files like tailwind.js, webpack.mix.js, vite.config.*, postcss.config.*, and .github/workflows before executing them.

Security teams should monitor Node.js processes that connect to blockchain or RPC services in build pipelines and avoid exposing long-lived cloud credentials to branch-level builds. Consumers are advised to pin known stable versions and refrain from using development branches unless necessary. The compromised Packagist version has been reported and removed following Socket’s disclosure.

For ongoing updates, follow us on Google News, LinkedIn, and X, and set CSN as a preferred news source on Google.

Cyber Security News Tags:Blockchain, blockchain malware, Chollima hackers, compromised packages, cyber threats, Cybersecurity, developer security, fake job offers, JavaScript loader, Malware, Node.js malware, Packagist attack, PHP security, software developers, Threat Actors

Post navigation

Previous Post: Critical Instagram AI Flaw Exposed by Researchers
Next Post: Phishing Threat Targets Signal Users for Backup Access

Related Posts

New ClickFix Attack Uses Fake BBC News Page and Fraudulent Cloudflare Verification to Trick Users New ClickFix Attack Uses Fake BBC News Page and Fraudulent Cloudflare Verification to Trick Users Cyber Security News
Cisco AsyncOS 0-Day Vulnerability Exploited in the Wild to run System-level Commands Cisco AsyncOS 0-Day Vulnerability Exploited in the Wild to run System-level Commands Cyber Security News
Mustang Panda Attacking Windows Users With ToneShell Malware Mimic as Google Chrome Mustang Panda Attacking Windows Users With ToneShell Malware Mimic as Google Chrome Cyber Security News
Android Banking Malware deVixor Actively Targeting Users with Ransomware Capabilities Android Banking Malware deVixor Actively Targeting Users with Ransomware Capabilities Cyber Security News
Cisco Nexus Dashboard Fabric Controller Vulnerability Allows Attackers Device Impersonate as Managed Devices Cisco Nexus Dashboard Fabric Controller Vulnerability Allows Attackers Device Impersonate as Managed Devices Cyber Security News
OpenAI Unveils GPT-5.5-Cyber for Automated Security OpenAI Unveils GPT-5.5-Cyber for Automated Security Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Coca-Cola Halts Fairlife Production Following Cyber Attack
  • 7-Zip Flaw Risks Remote Code Execution for Millions
  • Hackers Sentenced for Disrupting London Transport Systems
  • JetBrains Fixes Critical Security Flaws in Key Products
  • Dutch Police Break Up €100 Million Fraud Network

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Coca-Cola Halts Fairlife Production Following Cyber Attack
  • 7-Zip Flaw Risks Remote Code Execution for Millions
  • Hackers Sentenced for Disrupting London Transport Systems
  • JetBrains Fixes Critical Security Flaws in Key Products
  • Dutch Police Break Up €100 Million Fraud Network

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark