Famous Chollima Targets PHP Developers Through Compromised Packagist Package
Contents
Research
/Security News
Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages
A mini Shai-Hulud campaign compromised Red Hat Cloud Services npm packages to steal developer and CI/CD secrets during installation.
The North Korean malware loader hides in a Packagist-listed package and its GitHub branch to fetch and execute remote code in a likely Contagious Interview-style lure.
May 31, 2026
5 min read
We identified malicious obfuscated JavaScript appended to tailwind.js
in the Packagist development version dev-drewroberts/feature/test-case
of the PHP package roberts/leads
. The package itself is a legitimate Laravel package associated with a maintainer, Drew Roberts. The malicious code appears isolated to a specific development branch, drewroberts/feature/test-case
, exposed through Packagist as an installable dev version.
The payload is hidden after an otherwise normal Tailwind configuration. Once deobfuscated, it behaves as a JavaScript malware loader. It reaches out to blockchain and public RPC infrastructure, including TRON, Aptos, and BNB Smart Chain services, retrieves encrypted payload material, decrypts it with embedded …
/Security News
Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages
A mini Shai-Hulud campaign compromised Red Hat Cloud Services npm packages to steal developer and CI/CD secrets during installation.
The North Korean malware loader hides in a Packagist-listed package and its GitHub branch to fetch and execute remote code in a likely Contagious Interview-style lure.
May 31, 2026
5 min read
We identified malicious obfuscated JavaScript appended to tailwind.js
in the Packagist development version dev-drewroberts/feature/test-case
of the PHP package roberts/leads
. The package itself is a legitimate Laravel package associated with a maintainer, Drew Roberts. The malicious code appears isolated to a specific development branch, drewroberts/feature/test-case
, exposed through Packagist as an installable dev version.
The payload is hidden after an otherwise normal Tailwind configuration. Once deobfuscated, it behaves as a JavaScript malware loader. It reaches out to blockchain and public RPC infrastructure, including TRON, Aptos, and BNB Smart Chain services, retrieves encrypted payload material, decrypts it with embedded …
IoC
https://github.com/roberts/leads.git
https://packagist.org/packages/roberts/leads
https://api.trongrid.io/v1/accounts/
https://github.com/roberts/leads
https://fullnode.mainnet.aptoslabs.com/v1/accounts/
https://github.com/roberts/leads/blob/drewroberts/feature/test-case/tailwind.js
522b28a2f78771715497ba53729d4ab9a50e982322c391379f3bddf7c8cb363f
be037400670fbf1c32364f762975908dc43eeb38759263e7dfcdabc76380811e
6c5c3c7655ce76399af11126b7e9a9058eb2e45d
96afdba882046385242cbed46871e41147c8055c5d9eff7460847b2c01a77dc3
3f0e5781d0855fb460661ac63257376db1941b2bb522499e4757ecb3ebd5dce3
https://packagist.org/packages/roberts/leads
https://api.trongrid.io/v1/accounts/
https://github.com/roberts/leads
https://fullnode.mainnet.aptoslabs.com/v1/accounts/
https://github.com/roberts/leads/blob/drewroberts/feature/test-case/tailwind.js
522b28a2f78771715497ba53729d4ab9a50e982322c391379f3bddf7c8cb363f
be037400670fbf1c32364f762975908dc43eeb38759263e7dfcdabc76380811e
6c5c3c7655ce76399af11126b7e9a9058eb2e45d
96afdba882046385242cbed46871e41147c8055c5d9eff7460847b2c01a77dc3
3f0e5781d0855fb460661ac63257376db1941b2bb522499e4757ecb3ebd5dce3