Malware - Six Packagist Themes Distribute Trojanized jQuery

What Happened

A new supply chain attack has been uncovered, targeting OphimCMS, a popular Vietnamese-language content management system. This system is widely used for creating movie streaming websites. Researchers discovered that six malicious Composer packages were published on Packagist under the ophimcms namespace. These packages were cleverly disguised as legitimate themes for the platform, but they contained trojanized JavaScript assets, primarily fake jQuery libraries.

Each malicious package was designed to redirect visitors, steal browsing data, and inject unauthorized advertisements. The attack was first identified on March 12, 2026, but traces back to at least June 2024, when the first malicious package was introduced. The packages exploited social engineering tactics, linking to repositories under the legitimate ophimcms GitHub organization, misleading developers into thinking they were official releases.

Who's Affected

Developers using OphimCMS and its themes are at risk. The malicious packages were part of a broader set of 26 packages published through the ophimcms GitHub organization. The malicious code was confined to the bundled JavaScript assets, making it nearly impossible to detect through standard code reviews. This attack not only affects individual developers but could also impact end-users who visit websites built with the compromised themes.

The attack is linked to FUNNULL Technology Inc., a Philippines-based infrastructure provider that was sanctioned by the U.S. Department of the Treasury for facilitating over $200 million in cryptocurrency investment scams. This connection raises concerns about the potential scale and impact of the attack, as FUNNULL operates a content delivery network associated with numerous malicious hostnames.

What Data Was Exposed

The trojanized jQuery libraries in the affected themes are designed to log user activity and redirect users to malicious sites. The infection mechanism is particularly deceptive, as it hides within files that appear routine. Each affected package includes a copy of what looks like a standard jQuery library, but malicious code is appended after the legitimate closure, making it difficult to detect.

The malicious payloads can log every page a visitor browses and redirect them to gambling and adult content websites, especially targeting mobile users in specific time zones. This means that sensitive browsing data could be exfiltrated without the users' knowledge, posing significant privacy risks.

What You Should Do

Developers who have used any of the six affected packages should remove them immediately and audit their outbound network traffic for connections to suspicious domains like userstat.net and union.macoms.la. It's also crucial to inspect bundled jQuery files for any appended code after the closing marker. If any affected theme was active, site administrators must inform their users, as their browsing data may have been compromised.

To protect against such attacks, always verify the authenticity of packages before installation. Regularly audit your dependencies and stay informed about potential threats to ensure your applications remain secure.