The North Korean malware loader hides in a Packagist-listed package and its GitHub branch to fetch and execute remote code in a likely Contagious Interview-styl…

Published:

31 mei 2026 om 18:41:00

Alert date:

31 mei 2026 om 21:00:52

Source:

socket.dev

Supply Chain & Dependencies, Ransomware & Malware, Web Technologies

North Korean threat group Famous Chollima compromised a PHP package on Packagist with malicious JavaScript hidden in a Tailwind configuration file. The malware loader retrieves encrypted payloads from blockchain infrastructure including TRON, Aptos, and BNB Smart Chain. This appears to be part of a Contagious Interview-style attack targeting developers through fake job interviews or coding tasks. The malicious code was confined to a development branch and has been removed from Packagist.

Technical details

Malicious obfuscated JavaScript was appended to tailwind.js in the Packagist development version dev-drewroberts/feature/test-case of the PHP package roberts/leads. The payload is hidden after normal Tailwind configuration with large whitespace gap. Once deobfuscated, it behaves as a JavaScript malware loader that reaches out to blockchain infrastructure including TRON, Aptos, and BNB Smart Chain services, retrieves encrypted payload material, decrypts it with embedded XOR keys, executes the result with eval(), and can launch a detached hidden Node.js child process. The loader uses blockchain infrastructure as dead drop mechanism and can access process.env including CI secrets, local files, SSH keys, package tokens, and project source code. The malware family is associated with DEV#POPPER RAT, OmniStealer, and BeaverTail-family payloads.

Mitigation steps:

Treat unfamiliar build instructions as code execution events, especially during interviews and coding tests. Avoid running untrusted dev branches without reviewing build configuration files. Inspect composer.json, package.json, webpack.mix.js, vite.config.*, next.config.*, postcss.config.*, tailwind.config.*, tailwind.js, .github/workflows/*, and scripts/* before running unfamiliar projects. Monitor for Node.js processes contacting blockchain or RPC services during builds. Restrict CI secrets to minimum scope, avoid exposing long-lived credentials to branch builds, and rotate credentials after suspicious execution. Pin known good package versions and avoid Packagist dev branches unless required. Review branch protection rules, GitHub tokens, OAuth applications, Packagist webhooks, deploy keys, and collaborator permissions. Use provided grep commands to scan for indicators in local files and Git repositories.

Affected products:

roberts/leads PHP package version dev-drewroberts/feature/test-case
Laravel framework
Packagist package manager
Node.js
Composer

Related CVE's:

Related threat actors:

Famous Chollima

North Korean APT

DPRK

IOC's:

SHA-256 Archive: 522b28a2f78771715497ba53729d4ab9a50e982322c391379f3bddf7c8cb363f, SHA-256 tailwind.js: 96afdba882046385242cbed46871e41147c8055c5d9eff7460847b2c01a77dc3, TRON Wallet: TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP, TRON Wallet: TXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG, Aptos ID: 0xbe037400670fbf1c32364f762975908dc43eeb38759263e7dfcdabc76380811e, Aptos ID: 0x3f0e5781d0855fb460661ac63257376db1941b2bb522499e4757ecb3ebd5dce3, XOR Key: 2[gWfGj;<:-93Z^C, XOR Key: m6:tTh^D)cBz?NM], Campaign marker: global['!']='9-0264-2', Global marker: global['_V']='A9-0264-2', GitHub commit: 6c5c3c7655ce76399af11126b7e9a9058eb2e45d, File path: tailwind.js

This article was created with the assistance of AI technology by Perceptive.