A sophisticated supply chain attack has been uncovered targeting OphimCMS, a popular content management system used for building Vietnamese-language movie streaming websites. Six malicious Composer packages, masquerading as legitimate themes, were published on Packagist under the “ophimcms” namespace. These packages contained trojanized JavaScript, specifically fake jQuery libraries, designed to redirect users, steal browsing data, and inject unauthorized advertisements. The discovery, made on March 12, 2026, traces back to at least June 2024, highlighting a sustained effort by threat actors.
Researchers from Socket.dev identified these malicious packages as part of a larger campaign involving 26 packages released through the “ophimcms” GitHub organization. A key tactic employed was social engineering; the Packagist listings pointed to repositories under the “ophimcms” GitHub organization, while the README files within the packages directed developers to the legitimate “hacoidev/ophim-core” project, creating a false sense of authenticity. This technique made it exceptionally difficult to detect the malicious code through standard code reviews, as all infected code was confined to bundled JavaScript assets, leaving the PHP codebase seemingly clean.
Trojanized jQuery Exploited in OphimCMS Supply Chain Attack
The malicious operation is linked to FUNNULL Technology Inc., an infrastructure provider based in the Philippines that was sanctioned by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) on May 29, 2025. FUNNULL was sanctioned for its involvement in over $200 million in cryptocurrency investment scams and for operating a content delivery network associated with more than 200,000 malicious hostnames. Disturbingly, a FUNNULL-linked payload found within the “theme-dy” package was actively maintained as late as March 10, 2026, nearly ten months after sanctions were imposed.
Analysis of the “ophimcms” GitHub organization revealed two primary threat actor accounts. The account “binhnguyen1998822,” linked to dev@ophim[.]cc, is credited with creating the most critical package, “theme-dy,” in June 2024. The second account, “phantom0803,” associated with opdlnf01@gmail[.]com, authored packages responsible for injecting advertisements and performing click hijacking. The sophistication of this ophimcms supply chain attack underscores the evolving tactics used by cybercriminals to compromise software ecosystems.
How the Trojanized jQuery Infection Works
The infection mechanism employed within the trojanized jQuery libraries is particularly deceptive, as the malicious code is discreetly hidden within seemingly innocuous files. Each compromised package includes a copy of a standard jQuery library. However, malicious code has been appended after the closing jQuery Immediately Invoked Function Expression (IIFE) or integrated directly into the Sizzle CSS selector engine, areas that developers typically inspect with less scrutiny.
A side-by-side comparison of a clean jQuery 1.9.1 file and the tampered version found in “theme-dy” revealed approximately 1,349 bytes of obfuscated code inserted after the legitimate closure. This subtle modification allows the malicious script to execute without immediately raising alarms, making the ophimcms vulnerability a significant concern for website administrators.
Within “theme-dy,” two distinct attack chains operate concurrently. The first chain utilizes a Caesar cipher with a character shift of -5 to encode its command and control (C2) domain. It then transmits the current page URL of each visitor to userstat[.]net approximately every 11 hours. This process enables the attackers to silently compile a log of every page browsed by a site’s visitors, irrespective of their geographic location.
The second attack chain involves loading a FUNNULL payload from union[.]macoms[.]la. This is achieved through a custom Base64 decoder, deliberately engineered to evade detection by static analysis tools that monitor for the standard atob() function. This payload undergoes three layers of obfuscation before redirecting mobile users within Chinese timezones to gambling and adult content websites. The redirection is performed using window.location.replace(), a method that effectively removes the original page from browser history, preventing users from navigating back.
To mitigate this threat, developers running any of the six affected packages are strongly advised to remove them immediately. Furthermore, it is crucial to audit all outbound network traffic for connections to userstat[.]net, union[.]macoms[.]la, 23[.]225[.]52[.]67:4466, or cre-ads[.]com. Administrators should also inspect bundled jQuery files for any appended code following the closing “})(window);” marker. In cases where an affected theme was active, site administrators should proactively inform their users about the potential exfiltration of browsing data. Any domain resolving through .nqsaaskw[.]com CNAMEs should be treated as indicative of FUNNULL infrastructure.
The ongoing investigation into the full scope of this ophimcms supply chain attack is expected to reveal more about the actors involved and their methods. The continued maintenance of malicious payloads post-sanctions suggests a resilient and determined threat actor group, necessitating ongoing vigilance from developers and security professionals.