All Topics
All Topics
Technology
Technology
Design
Design
Programming
Programming
Science
Science
News
News
Gaming
Gaming
Entertainment
Entertainment
Business
Business
Finance
Finance
Sports
Sports
Health
Health
Food
Food
Travel
Travel
Art
Art
Music
Music
Books
Books
Education
Education
Politics
Politics
Personal
Personal
No algorithm. No AI slop. No ads. Just RSS. Pro-human. Indie writers. Real journalism. Open web. Chronological. Hand toasted.

North Korean Chollima Group Targets PHP Developers via Malicious Packagist Package

By

Kirill Boychenko

3h ago· 8 min readenNews
Bagel score 100 of 100
100/100
Golden Brown
Bagelometer

Front-window bakery material. Catches the eye, delivers the goods.

Score100TypenewsSentimentnegative

Summary

A malicious obfuscated JavaScript payload was discovered appended to tailwind.js in the Packagist development version dev-drewroberts/feature/test-case of the legitimate PHP Laravel package roberts/leads. The malware, flagged by Socket AI Scanner, is attributed to the North Korean threat group Chollima and operates as a loader that fetches and executes remote code. The malicious code is isolated to a specific development branch exposed through Packagist, and the attack follows a Contagious Interview-style social engineering lure targeting PHP developers.

Key quotes

· 3 pulled
Socket AI Scanner flagged dev-drewroberts/feature/test-case as known malware after identifying obfuscated JavaScript hidden in tailwind.js, including runtime exposure of Nod
The North Korean malware loader hides in a Packagist-listed package and its GitHub branch to fetch and execute remote code in a likely Contagious Interview-style lure.
The malicious code appears isolated to a specific development branch, drewroberts/feature/test-case, exposed through Packagist as an installable dev version.
Snippet from the RSS feed
The North Korean malware loader hides in a Packagist-listed package and its GitHub branch to fetch and execute remote code in a likely Contagious Interview-style lure.

You might also wanna read

North Korean Hackers Exploit Visual Studio Code to Deploy Backdoor Malware via Git Repositories

Jamf Threat Labs has identified North Korean threat actors expanding their abuse of Microsoft Visual Studio Code to deploy backdoor malware.

jamf.com·4mo ago

GitHub Issue Prompt Injection Leads to 4,000 Developer Machines Compromised via Malicious npm Package

A sophisticated supply chain attack compromised approximately 4,000 developer machines through a GitHub issue title prompt injection. The at

grith.ai·2mo ago

Popular npm packages debug and chalk compromised with crypto-intercepting malware

Starting September 8th, 2023, the popular npm packages "debug" and "chalk" were compromised with malicious code. These packages, which colle

aikido.dev·8mo ago

GitLab Identifies Large-Scale npm Supply Chain Attack with Destructive Malware

GitLab's security researchers have uncovered a large-scale supply chain attack in the npm ecosystem involving a destructive malware variant

about.gitlab.com·6mo ago

Major NPM Supply Chain Attack: @ctrl/tinycolor and 40+ Packages Compromised with Self-Propagating Malware

A sophisticated supply chain attack has compromised the popular @ctrl/tinycolor NPM package (with over 2 million weekly downloads) along wit

stepsecurity.io·8mo ago

Supply Chain Attacks on Open-Source Software: Case Study of Malicious Pull Request Attempts

The article discusses recent supply chain attacks on open-source software projects like LiteLLM and axios, with a specific case study of att

casco.com·1mo ago