EXECUTIVE SUMMARY:
The malicious supply chain campaign involving multiple PHP themes published on the Packagist repository, where attackers embedded trojanized versions of jQuery to compromise downstream users. These packages were designed to appear legitimate, increasing the likelihood of adoption by developers seeking ready-to-use themes. By leveraging a trusted ecosystem like Packagist, the threat actors exploited implicit trust in open-source dependencies to distribute malicious code at scale. Once installed, the infected themes introduced hidden JavaScript payloads capable of executing unauthorized actions within web applications. The campaign demonstrates how attackers are increasingly targeting software supply chains rather than individual victims, allowing them to maximize impact through indirect compromise. The use of popular libraries such as jQuery further obscures detection, as developers may not scrutinize widely used components. This activity reflects a broader trend of attackers weaponizing open-source repositories to distribute malware, highlighting the risks associated with unverified third-party packages and the need for stronger dependency security practices.
The malicious packages contained modified jQuery files that were injected with obfuscated JavaScript code, designed to execute silently within affected web environments. Upon execution, the payload-initiated communication with attacker-controlled infrastructure to fetch additional instructions or deliver secondary payloads. The injected scripts were capable of performing a range of malicious actions, including redirecting website visitors to fraudulent or advertisement-driven domains, injecting unwanted content, and potentially harvesting sensitive user data. Obfuscation techniques were employed to evade detection and hinder manual code review, making the malicious behavior difficult to identify during routine inspections. In some cases, the payload leveraged dynamic execution methods to activate only under specific conditions, further reducing the likelihood of discovery. The campaign also demonstrated persistence by embedding malicious logic directly within commonly used frontend assets, ensuring execution whenever the affected theme was loaded. This approach enabled attackers to maintain control over compromised environments while remaining largely undetected within legitimate application workflows.
This campaign underscores the growing threat posed by software supply chain attacks, particularly within open-source ecosystems where trust and convenience often outweigh security scrutiny. The use of trojanized dependencies in widely accessible repositories highlights the importance of verifying package integrity before integration into production environments. Organizations and developers must adopt proactive security measures such as dependency auditing, integrity verification, and continuous monitoring to detect and mitigate such threats. Implementing strict controls around third-party code usage, including version pinning and the use of trusted sources, can significantly reduce exposure to malicious packages. Additionally, automated security tools capable of identifying obfuscated or suspicious code patterns can enhance detection capabilities. The incident serves as a reminder that even widely trusted libraries can be weaponized when distributed through compromised channels.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Persistence | T1547 | Boot or Logon Autostart Execution | - |
| Defense Evasion | T1027.010 | Obfuscated Files and Information | Command Obfuscation |
| T1036.005 | Masquerading | Match Legitimate Name or Location | |
| Collection | T1056 | Input Capture | - |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1105 | Ingress Tool Transfer | - | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
| Impact | T1496 | Resource Hijacking | - |
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/streaming-sabotage-malicious-packagist-themes-vietnamese-ophimcms/
https://socket.dev/blog/6-malicious-packagist-themes-ship-trojanized-jquery