Famous Chollima Targets PHP Developers Through Compromised Packagist Package

MITRE Techniques

• [T1195.002 ] Supply Chain Compromise – The malicious code was inserted into a legitimate package development branch and delivered through trusted developer infrastructure (‘poisoned-branch workflow’ and ‘exposed through Packagist as an installable dev version’).
• [T1204.002 ] User Execution: Malicious File – The attack relied on a victim installing or checking out the poisoned dev branch and running the project (‘composer require roberts/leads:dev-drewroberts/feature/test-case’ and ‘clone the GitHub repository and check out the branch’).
• [T1059.007 ] Command and Scripting Interpreter: JavaScript – The payload was JavaScript code that decrypted and executed additional stages in Node.js (‘it behaves as a JavaScript malware loader’ and ‘eval() executes the decrypted payload’).
• [T1027 ] Obfuscated Files or Information – The malicious payload was hidden and obfuscated after a normal configuration block (‘hidden far to the right after a large whitespace gap’ and ‘the appended JavaScript is obfuscated’).
• [T1102.001 ] Web Service: Dead Drop Resolver – The loader used public blockchain and RPC services as a dead drop to retrieve payload pointers (‘TRON and Aptos provide payload pointers’ and ‘BNB Smart Chain RPC services return transaction input data’).
• [T1105 ] Ingress Tool Transfer – The malware retrieved encrypted payload material from remote services before decryption and execution (‘retrieves encrypted payload material’ and ‘return xorDecrypt(encryptedPayload, xorKey)’).
• [T1059 ] Command and Scripting Interpreter – The payload was ultimately run as code within the Node.js environment (‘execute the result with eval()’ and ‘launch a detached hidden Node.js child process’).