6 Malicious Packagist Themes Ship Trojanized jQuery and FUNNULL Redirect Payloads

Key Takeaways

• Six malicious Packagist themes mimicking OphimCMS were found distributing trojanized jQuery payloads.
• Payloads execute client-side attacks including URL exfiltration, ad injection, click hijacking, and mobile-targeted redirects.
• The most severe payload connects to infrastructure operated by FUNNULL, an OFAC-sanctioned entity known for cryptocurrency scams.
• Attackers used social engineering by linking the malicious packages' READMEs to the legitimate OphimCMS GitHub repository.
• The FUNNULL redirect chain uses environment checks, targeting mobile devices in Chinese timezones and evading headless browsers.

Affected Systems

• PHP/Laravel environments
• OphimCMS users
• Web browsers (Client-side)

Attack Chain

Attackers published malicious Composer packages mimicking legitimate OphimCMS themes on Packagist. When installed, these themes serve trojanized JavaScript files (such as jQuery) to site visitors. The injected JavaScript executes client-side, performing environment checks to evade detection and target specific users, such as mobile devices in Chinese timezones. Depending on the specific package payload, the scripts exfiltrate the visitor's URL, inject unauthorized advertisements, hijack clicks, or redirect the user to gambling and adult sites hosted on sanctioned FUNNULL infrastructure.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: Socket

Detection is available via the Socket platform, which scans dependency graphs and flags suspicious asset injections, including via the Socket GitHub App and CLI.

Detection Engineering Assessment

EDR Visibility: Low — The malicious activity occurs entirely client-side within the victim's web browser via JavaScript, which standard host-based EDRs on the server will not detect. Network Visibility: Medium — Network monitoring can detect outbound connections from clients to known malicious C2 domains, though server-side network logs will not show this activity. Detection Difficulty: Hard — The payloads are heavily obfuscated, appended to legitimate libraries, and use environment gating (timezones, mobile only, referrer checks) to evade automated analysis and scanners.

Required Log Sources

• Web Proxy Logs
• DNS Query Logs
• Browser Telemetry

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Monitor web proxy and DNS telemetry for unexpected outbound connections to known malvertising or exfiltration infrastructure originating from client browsers.	DNS Query Logs, Web Proxy Logs	Command and Control (T1041)	Low
Analyze web traffic for anomalous connections to non-standard ports associated with ad injection command and control servers.	Web Proxy Logs, Firewall Logs	Command and Control	Medium

Control Gaps

• Server-side dependency scanning that ignores front-end assets
• Lack of Subresource Integrity (SRI) validation on bundled scripts

Key Behavioral Indicators

• JavaScript files with obfuscated code appended after the standard closing IIFE
• Presence of the 'PHPREFS' cookie used for execution throttling
• localStorage keys starting with 'MPAd_'

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Remove the affected ophimcms themes immediately from all environments.
• Audit site outbound network requests for connections to identified IOCs.

Infrastructure Hardening

• Implement Subresource Integrity (SRI) for all external and bundled JavaScript assets.
• Use dependency scanning tools that analyze front-end assets within packages, not just backend code.

User Protection

• Notify users who may have visited the site while the malicious theme was active, as their browsing activity may have been exfiltrated.

Security Awareness

• Train developers to audit bundled assets (JS, CSS) in third-party themes and plugins for unauthorized modifications.

MITRE ATT&CK Mapping

• T1195.002 - Compromise Software Supply Chain
• T1027 - Obfuscated Files or Information
• T1059.007 - JavaScript Execution
• T1204.001 - User Execution: Malicious Link
• T1041 - Exfiltration Over C2 Channel
• T1583.008 - Acquire Infrastructure: Malvertising

Additional IOCs

• Ips:
  • 23[.]225[.]52[.]67 - Ad injection C2 server
• Domains:
  • cre-ads[.]com - Click hijacking ad network
  • xemphimlau[.]com - Anti-debug redirect target
  • im[.]ue8im[.]com - Ad image hosting domain
  • oss-cn-guangzhou[.]ailyunoss[.]com - Alibaba Cloud typosquat associated with FUNNULL
  • dxtv1[.]com - FUNNULL device-routing redirect hub
  • macoms[.]la - Typosquat of official MacCMS domain, linked to FUNNULL
  • b0ca39f0[.]nqsaaskw[.]com - FUNNULL CDN routing infrastructure
  • g941875[.]cdn[.]nqsaaskw[.]com - FUNNULL CDN routing infrastructure
• Urls:
  • hxxp://23[.]225[.]52[.]67:4466/vip344.html - Ad injection C2 endpoint
  • hxxps://union[.]macoms[.]la/jquery.min-3.6.8.js - FUNNULL second-stage payload URL
• File Hashes:
  • FDFCBF04343F4EB89BAB9EAF40FEE178D9002A42C7949C9BBD24C0E8831A04B0 (SHA256) - Malicious jquery.min-3.6.8.js payload
• File Paths:
  • jquery.js - Trojanized library file containing appended malicious loaders
  • topinfo.js - Script injecting desktop ads
  • indexbottom.js - Script injecting mobile ads
  • tj.js - Script injecting unauthorized third-party analytics
  • custom926f.js - Obfuscated script used for click hijacking
  • functions.js - Script appended with full-screen overlay ad payload
• Other:
  • dev@ophim.cc - Threat actor email address
  • opdlnf01@gmail.com - Threat actor email address
  • ophimcms/theme-mtyy - Malicious Composer package
  • ophimcms/theme-rrdyw - Malicious Composer package
  • ophimcms/theme-pcc - Malicious Composer package
  • ophimcms/theme-motchill - Malicious Composer package
  • ophimcms/theme-legend - Malicious Composer package
  • PHPREFS - Cookie used to throttle execution of Attack Chain A
  • MPAd_ - localStorage key prefix used for tracking ad impressions