Famous Chollima Supply Chain Attack Hits PHP Developers via Packagist

Meta Description

Famous Chollima planted malware in a Packagist PHP package to target developers. Learn how this supply chain attack works and how to protect your organization now.

 

Introduction

If you work with PHP, pull packages from Packagist, or hire developers remotely, this story affects you directly.

Security researchers at Socket.dev have confirmed that Famous Chollima, the North Korean state-sponsored threat group, has hidden malware inside a legitimate PHP package available on Packagist. The campaign targets software developers by disguising a dangerous payload as a routine configuration file, making it nearly invisible during normal code review.

The Famous Chollima Packagist PHP supply chain attack is a textbook example of how nation-state threat actors are now turning the developer workflow itself into an attack vector. This is not a noisy, widespread infection campaign. It is a precision strike designed to compromise one developer at a time.

And it gets more technically sophisticated from there. Because once the loader runs, it does not phone home to a suspicious server. It queries the blockchain.

---

What Happened

Socket.dev researchers identified malicious JavaScriptcode hidden inside a file called tailwind.js, bundled within the Packagist development branch version dev-drewroberts/feature/test-case of the PHP package roberts/leads.

The package itself belongs to a legitimate maintainer, Drew Roberts. This means Famous Chollima did not create a fake package from scratch. Instead, they targeted an existing legitimate package, either through a branch-level compromise or a poisoned workflow injection.

Key campaign facts:

• Threat actor: Famous Chollima (North Korean state-sponsored)
• Affected package: roberts/leadson Packagist
• Malicious version: dev-drewroberts/feature/test-case
• Malicious file: tailwind.js
• Delivery method: Fake job interviews, developer onboarding tasks
• C2 method: Blockchain-based dead-drop (TRON, Aptos, BNB Smart Chain)
• Linked malware families: DEV#POPPER RAT, OmniStealer, BeaverTail
• Status: Reported and removed following Socket.dev disclosure

Timeline:

• Malicious branch created and made available via Packagist as an installable dev version
• Targeted developers directed to run a specific install command during fake job interviews or freelance tasks
• Payload retrieved silently from blockchain transaction records
• Socket.dev discovers and reports the malicious package
• Packagist removes the affected version following disclosure

---

Technical Analysis

This campaign is technically sophisticated in ways that go well beyond typical supply chain attacks. Let us break it down layer by layer.

The Hidden Payload Inside tailwind.js

The malicious code is buried inside what looks like a completely normal Tailwind CSS configuration file. The harmful JavaScript is positioned far to the right side of the file, hidden behind a large block of blank whitespace.

During a casual code review, the malicious portion is simply off-screen. You would have to actively scroll horizontally to find it, something most developers do not do when reviewing build dependencies.

Once the obfuscated JavaScript executes, it transforms into a full malware loader running inside Node.js.

Root Cause

The root cause is branch-level package compromise. Rather than creating an entirely fake package and hoping developers stumble across it, Famous Chollima targeted a real, maintained package. The malicious content was injected at the development branch level. Packagist then listed that dev branch as an installable version, giving it a veneer of legitimacy.

Critically, Packagist dev versions require an explicit install command. This is significant. It means victims would need to be directed to run a very specific composer require command. The kind of specific, unusual install instruction that fits naturally into a fake technical interview task or onboarding workflow.

The Attack Chain

Step 1: Social engineering via fake job offer

Famous Chollima contacts a PHP developer, typically posing as a recruiter or technical lead. The developer is invited to complete a coding challenge, technical interview, or onboarding task that involves cloning and running a project.

Step 2: Malicious package installation

The project instructions direct the developer to run a specific Composer command installing the malicious dev branch of roberts/leads. Because the package belongs to a legitimate maintainer and is listed on Packagist, no immediate alarm bells fire.

Step 3: tailwind.js executes

During the build or setup process, Node.js executes tailwind.js. The obfuscated malicious code runs silently. No visible error. No suspicious pop-up. The developer sees a normal-looking project setup.

Step 4: Blockchain dead-drop retrieval

This is where the Famous Chollima Packagist PHP supply chain attack becomes genuinely novel. Instead of connecting to a traditional command-and-control server (which could be blocked or flagged), the loader contacts public blockchain services:

• TRON network
• Aptos blockchain
• BNB Smart Chain

Encrypted payload data is stored inside blockchain transaction records. The loader reads this data, decrypts it using hardcoded XOR keys, and executes the result via eval() inside Node.js.

There is no traditional C2 domain to block. Blockchain transactions are permanent, public, and effectively uncensorable. This represents a significant evolution in malware delivery infrastructure.

Step 5: Hidden secondary process launch

The loader can silently spawn a second background process using child_process.spawn() with the windowsHide flag set to true. On Windows systems, this keeps the process completely invisible to the user.

Step 6: Remote payload execution and data theft

The decrypted remote payload retrieved from the blockchain is where the actual theft occurs. Once inside Node.js, it can:

• Read environment variables containing cloud credentials and CI/CD secrets
• Steal .env files containing API keys and database credentials
• Access SSH private keys and stored authentication tokens
• Grab browser-stored passwords and session cookies
• Execute additional malware stages silently

Campaign Marker and Attribution

The code contains a campaign marker: global['!']='9-0264-2'. This identifier ties the attack directly to prior Famous Chollima operations and known malware families including DEV#POPPER RAT, OmniStealer, and BeaverTail payloads.

This is not a new operation. Famous Chollima has been conducting developer-targeted supply chain attacks for years. This is their playbook, refined and updated.

Why the Famous Chollima Packagist PHP Supply Chain Attack Matters

This is not just a story about one malicious package. It is a story about the systematic targeting of developer trust.

Enterprise impact:

• Compromised developer machines provide direct access to source code repositories, internal systems, and cloud infrastructure
• SSH keys and cloud credentials stolen from a single developer can expose entire production environments
• CI/CD secrets give attackers persistent access to build pipelines, enabling further supply chain poisoning
• Lateral movement from a compromised developer endpoint into internal networks is highly feasible

SMB impact:

• Smaller engineering teams often rely heavily on freelance developers and remote hiring
• Limited security tooling means behavioral anomalies during package installation often go undetected
• A single compromised freelancer machine can expose an entire startup's infrastructure

DevSecOps and pipeline risks:

• Malicious packages running during build processes can inject backdoors into software before it ships
• Blockchain-based C2 bypasses most network security controls designed around domain or IP blocking
• Secrets exposed during development builds can be exploited long after the initial compromise

Financial and regulatory exposure:

• Credential theft from developer machines can lead to cloud account takeover and data breaches
• GDPR, SOC 2, and ISO 27001 obligations may be triggered depending on what data is accessible from compromised developer environments
• The reputational damage from a supply chain breach can far exceed the direct financial cost

The broader threat model:

Famous Chollima has historically used their developer-targeting campaigns to fund North Korean state activities. This is not just espionage. It is revenue generation. The stolen credentials, code, and access are monetized.

---

Five Realistic Famous Chollima Attack Scenarios

Scenario 1: The Fake Technical Interview

A PHP developer applies for a remote contract position through LinkedIn or a freelance platform. The recruiter sends a GitHub repository link and instructions to set up the project locally as part of a technical assessment. The setup instructions include a Composer command installing the malicious dev branch. The developer runs it without suspicion. LegionRelay or BeaverTail executes silently in the background.

Scenario 2: Poisoned Onboarding at a Startup

A startup hires a new remote backend developer. During onboarding, the new hire is given a development environment setup guide that includes specific Composer commands. One of those commands installs the compromised package. Cloud credentials and SSH keys are exfiltrated within minutes of setup completing.

Scenario 3: CI/CD Pipeline Compromise

An automated build pipeline pulls the malicious dev branch of roberts/leads as part of a dependency resolution process. The tailwind.js file executes during the build, reaching out to blockchain-based infrastructure. CI/CD secrets and environment variables are stolen, giving the attacker persistent access to the organization's entire deployment pipeline.

Scenario 4: Freelancer Supply Chain Pivot

A legitimate freelance developer unknowingly installs the malicious package while working on a client project. The stolen SSH key and cloud credentials belong not to the freelancer but to the client's infrastructure. Famous Chollima now has access to an enterprise environment through a third-party contractor, a classic supply chain pivot.

Scenario 5: Credential Theft Enabling Ransomware Staging

Stolen cloud credentials from the compromised developer are used to gain initial access to cloud infrastructure. The threat actor quietly escalates privileges, moves laterally across cloud environments, and stages a ransomware deployment weeks after the initial package installation event. The connection back to the Packagist infection is never made during the initial investigation.

---

Detection and Monitoring Strategies

Detecting the Famous Chollima Packagist PHP supply chain attack and similar campaigns requires security controls specifically designed around developer workflows and build environments.

Logging Recommendations

• Enable full Node.js process execution logging across all developer endpoints
• Log all outbound network connections made during package installation and build processes
• Capture eval() execution events in Node.js environments where possible
• Log all Composer and npm install commands run on developer machines and in CI/CD pipelines
• Enable audit logging on all cloud credential access events

EDR Monitoring

• Alert on Node.js spawning child processes with hidden window flags (windowsHide: true)
• Detect eval() calls executing dynamically retrieved content in Node.js
• Flag outbound connections to blockchain RPC endpoints (TRON, Aptos, BNB Smart Chain) from developer workstations or build servers
• Monitor for file access to .env, .ssh/id_rsa, and credentials store locations during or after package installation
• Alert on new persistence mechanisms created following package installation events

SIEM Correlation Rules

• Correlate Composer install events with subsequent outbound connections to uncommon endpoints
• Alert on blockchain API calls originating from development or build infrastructure
• Flag XOR decryption patterns executed in Node.js processes
• Correlate developer machine cloud API calls with unusual geolocations or access patterns
• Alert on access to CI/CD secret stores from processes spawned during build pipelines

Threat Hunting Guidance

• Hunt for tailwind.jsfiles containing unusually long lines or excessive horizontal whitespace in any repository
• Search for the campaign marker string global['!']='9-0264-2'across all code repositories and build logs
• Hunt for blockchain RPC endpoint connections in network traffic logs from developer machines
• Review all installed Composer packages for dev branch versions that are not pinned to a specific commit hash
• Search for the known IOC SHA-256 hashes in endpoint and build environment file scanning

Identity Security Monitoring

• Alert on cloud credential usage from IP addresses not associated with known developer locations
• Monitor for SSH key usage from new or unrecognized source IP addresses
• Enforce just-in-time access for cloud credentials used in CI/CD pipelines
• Review OAuth token grants and API key creation events following any suspected package compromise
• Implement secrets scanning in all repositories to detect exposed credentials before they can be stolen

---

Mitigation Recommendations

Immediate actions for all PHP development teams:

• Audit all currently installed Composer packages for dev branch versions
• Check installed packages against the known malicious IOCs listed above
• Scan all tailwind.js and similar build configuration files for horizontally hidden content
• Rotate any cloud credentials, SSH keys, or API tokens that may have been accessible on potentially affected machines

Package management hardening:

• Pin all Composer dependencies to specific, known-good version numbers or commit hashes
• Avoid installing dev branches from Packagist unless the specific commit has been manually reviewed
• Implement Composer lock file enforcement across all projects and CI/CD pipelines
• Enable automated software composition analysis (SCA) scanning on all dependency installations
• Use private package mirrors where possible and restrict installation from public Packagist to approved packages only

Developer workflow security:

• Treat any unsolicited instruction to run a specific composer require or npm install command as a potential social engineering attempt
• Establish a policy requiring security review before running any new package installation command received during hiring or contracting workflows
• Manually inspect build configuration files including tailwind.js, webpack.mix.js, vite.config.*, and postcss.config.* for unexpected content
• Review .github/workflows files for unauthorized modifications before running any project

CI/CD and secrets management:

• Store all cloud credentials and CI/CD secrets in dedicated secrets management platforms, not in environment files
• Implement short-lived credentials for all CI/CD pipeline access
• Scan all build environments for blockchain network connections during execution
• Use isolated, ephemeral build environments that are destroyed after each pipeline run
• Implement code signing and integrity verification for all build artifacts

Zero Trust and network controls:

• Block outbound connections to known blockchain RPC endpoints from developer workstations and build servers unless explicitly required
• Apply Zero Trust network access policies to all developer remote access
• Segment developer environments from production infrastructure
• Enforce endpoint security baselines on all developer machines including contractor devices

Security awareness:

• Brief all developers and hiring managers on Famous Chollima's fake interview tactics
• Train engineering teams to recognize social engineering targeting developers specifically
• Establish clear reporting channels for developers who receive suspicious technical task instructions

---

Why Cybersecurity Teams Should Pay Attention to Famous Chollima Packagist PHP Supply Chain Attacks

The Famous Chollima Packagist PHP supply chain attack is not an isolated incident. It is the latest evolution in a sustained, methodical campaign by a sophisticated nation-state threat actor to monetize access to developer environments.

The broader trend:

North Korean threat actors have consistently evolved their tactics. What started as fake IT worker placements inside companies has evolved into precision supply chain attacks targeting developer toolchains. The Packagist attack demonstrates several technical advances:

• Blockchain-based command-and-control infrastructure that defeats traditional C2 blocking
• Branch-level package compromise targeting legitimate maintainer accounts rather than fake packages
• Highly targeted delivery via social engineering that limits noise and avoids automated detection

For SOC and incident response teams:

The use of blockchain as C2 infrastructure represents a significant detection challenge. Blocking TRON or Aptos RPC endpoints may not be feasible in all environments, particularly those that legitimately interact with blockchain infrastructure. This means behavioral detection inside the endpoint becomes even more critical than network-level blocking.

For DevSecOps teams:

Software composition analysis tools that only check for known malicious package names will not catch branch-level compromise of legitimate packages. The integrity of the specific version or branch being installed must be verified, not just the package name.

Strategic implications:

The Famous Chollima Packagist PHP supply chain attack is a reminder that the attack surface for modern organizations extends deep into the software development lifecycle. Every Composer install, every npm package, and every CI/CD pipeline step is a potential injection point.

Organizations that have not extended their security program to cover developer environments and software supply chains are operating with a significant and growing blind spot.

---

Key Takeaway

The Famous Chollima Packagist PHP supply chain attack confirms what penetration testers and threat intelligence teams have been warning about for years: developers are high-value targets, and their workflows are deeply vulnerable.

A single compromised developer machine can expose cloud infrastructure, source code, CI/CD secrets, and internal networks. When the attacker is a North Korean state-sponsored group with a long track record of cryptocurrency theft and corporate espionage, the stakes could not be higher.

Key lessons for every security team:

• Supply chain attacks are now targeting individual developers through fake hiring workflows, not just widespread package poisoning
• Blockchain-based C2 infrastructure defeats traditional network security controls and requires endpoint-level behavioral detection
• Dev branch package versions on public repositories carry significant risk and should never be installed without explicit security review
• The campaign marker global['!']='9-0264-2' links this attack to a broader Famous Chollima operation involving DEV#POPPER RAT, OmniStealer, and BeaverTail
• Legitimate package maintainer accounts can be compromised at the branch level, giving malicious content a false appearance of authenticity

Long-term implications:

The developer ecosystem's reliance on public package repositories is a structural vulnerability that nation-state actors are systematically exploiting. As long as trust in package repositories remains implicit rather than verified, attacks like the Famous Chollima Packagist PHP supply chain attack will continue and evolve.

Proactive guidance summary:

• Audit all Composer dev branch dependencies immediately
• Implement SCA scanning with integrity verification, not just name matching
• Block blockchain RPC connections from development and build environments
• Train developers to recognize fake interview and onboarding social engineering
• Rotate credentials and keys on any machine that may have executed the malicious package
• Hunt for the campaign marker string across all repositories and build logs

---