By rssfeeds-admin 
The packages were published under the ophimcms namespace and were designed to look like normal theme files. But instead of only delivering front-end code, they secretly shipped trojanized JavaScript, mostly hidden inside fake jQuery libraries.
The malicious packages include theme-dy, theme-mtyy, theme-rrdyw, theme-pcc, theme-motchill, and theme-legend. According to the analysis, the harmful code was placed inside bundled JavaScript assets, not in the PHP codebase.
That made the packages harder to spot because developers reviewing only the server-side files would likely miss the attack.
Researchers said the malicious themes were still live on Packagist when the report was published, and that takedown requests had been submitted.
Hidden jQuery, Redirects, and Data Theft
The main attack method involved using a legitimate-looking jQuery file with additional malicious code added. In some cases, the code was appended after the normal jQuery closure. In others, it was injected deeper into the file to avoid easy detection.
Three themes were found, sending victims’ current page URLs to userstat[.]net, effectively leaking browsing activity.
Another payload in theme-dy downloaded a second-stage script from union[.]macoms[.]la, infrastructure linked by multiple security researchers to FUNNULL Technology.
That second-stage code focused on mobile users, checking platform type, local time, referrer data, cookies, and even whether the visitor was likely an analyst or site administrator.
If the conditions matched, users were redirected to gambling or adult-content pages. The redirect used window.location.replace(), which prevents the browser’s back button from easily returning to the original page.
Other themes used different payloads. One injected desktop and mobile ads, another hijacked clicks by opening the real link in a new tab while forcing the current page to an ad destination. One theme created full-screen overlay ads, while another used anti-debugging tricks to block inspection and redirect analysts away from the page.
Why This Supply Chain Threat Matters
The campaign shows how theme and plugin ecosystems can become software supply chain risks. These packages looked like normal OphimCMS themes and even linked to the legitimate OphimCMS project in their README files, likely to build trust.
theme-dy showing contributions from both binhnguyen1998822 (June -July 2024) and phantom0803 (December 2025), confirming both accounts have write access to the ophimcms organization (Source: socket)Researchers from Socket also found links between two GitHub accounts contributing to the same package set, suggesting either collaboration or one operator using multiple identities.
The impact is serious because the malicious code runs in the visitor’s browser, not just on the site owner’s system.
That means every user who loads an infected theme socket may experience URL exfiltration, ad injection, click hijacking, or unwanted redirects.
| Package Name | Composer Name | Malicious Behavior |
|---|---|---|
| theme-dy | ophimcms/theme-dy | FUNNULL redirect, URL exfiltration, and analytics injection |
| theme-mtyy | ophimcms/theme-mtyy | URL exfiltration |
| theme-rrdyw | ophimcms/theme-rrdyw | URL exfiltration, ad injection, and analytics injection |
| theme-pcc | ophimcms/theme-pcc | Click hijacking and ad injection |
| theme-motchill | ophimcms/theme-motchill | Full-screen overlay ads |
| theme-legend | ophimcms/theme-legend | Anti-debugging and redirect |
With about 2,750 installs across the six packages, the case is a reminder that developers must audit bundled JavaScript assets, not just backend code, before trusting third-party packages.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Six Malicious Packagist Themes Deliver Trojanized jQuery Payloads appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.