A new supply chain attack has hit OphimCMS, a Vietnamese-language Laravel content management system that is very popular for making movie streaming sites. Six harmful Composer packages were uploaded to Packagist under the ophimcms namespace, where they were carefully disguised as real themes for the platform. Each package contains trojanized JavaScript files, mostly fake jQuery libraries, that are meant to send visitors to other sites, steal their browsing data, and add ads without permission.
The threat was found on March 12, 2026, and it goes back to at least June 2024, when the first bad package was released. The packages used a classic social engineering trick: their Packagist listings linked to repositories in the ophimcms GitHub organization, but the README file in each package pointed to the real hacoidev/ophim-core project.
You should look at bundled jQuery files to see if there is any code after the closing })(window); marker. If any of the affected themes were active, site admins should let their users know because their browsing data may have been stolen. You should treat any domain that resolves through .nqsaaskw[.
]com CNAMEs as FUNNULL infrastructure. To get more instant updates, follow LinkedIn and X and set ZeroOwl as your preferred source in Google.
