Famous Chollima Targets PHP Developers Through Compromised Packagist Package

Malicious obfuscated JavaScript was discovered in the development branch "drewroberts/feature/test-case" of the PHP package "roberts/leads" on Packagist, a legitimate Laravel package associated with Drew Roberts. The compromised code was flagged by Socket AI Scanner as malware and was found in the "tailwind.js" file, masquerading as normal Tailwind configuration but actually behaving as a JavaScript malware loader. This malicious code, likely the result of a developer or repository compromise rather than a new malicious package, uses blockchain infrastructure, including TRON, Aptos, and BNB Smart Chain, to retrieve encrypted payloads, which it then decrypts and executes, potentially launching hidden Node.js processes. The issue was reported to the Packagist security team and the package maintainer, prompting swift removal of the malicious version. This incident bears resemblance to a North Korean APT supply chain attack, targeting developers through fake job interviews or developer tasks by exploiting trusted developer infrastructure. The attack was confined to a dev/test branch, reducing the risk of accidental mass installation, but highlighting the need for vigilance in reviewing unfamiliar build instructions and configurations.