Famous Chollima Targets PHP Developers Through Compromised Packagist Package

A Packagist development version of the PHP package roberts/leads contained obfuscated JavaScript appended to tailwind.js that functions as a blockchain-based loader: it retrieves encrypted payloads via TRON/Aptos/BSC transaction data, XOR-decrypts them, executes code with eval, and can spawn a hidden Node.js child process; IoCs and behavior align with prior DPRK-linked Famous Chollima supply-chain campaigns and suggest a targeted developer-lure (e.g., fake interview) rather than broad distribution.