Security researchers have found six bad Composer packages on Packagist that claim to be real OphimCMS themes. OphimCMS is a Laravel-based content management system used to make movie streaming websites. The packages were released under the ophimcms namespace and were made to look like regular theme files.

But instead of just sending front-end code, they secretly sent trojanized JavaScript, which was mostly hidden in fake jQuery libraries. The bad packages are theme-dy, theme-mtyy, theme-rrdyw, theme-pcc, theme-motchill, and theme-legend. The study found that the bad code was not in the PHP codebase but in bundled JavaScript assets. That made it harder to find the packages because developers who only looked at the server-side files would probably miss the attack.

Researchers said that when the report came out, the bad themes were still on Packagist and that takedown requests had been sent. Hidden jQuery, redirects, and stealing data The main way to attack was to use a jQuery file that looked real but had extra malicious code added. In some cases, the code was added after the regular jQuery closure.

In other cases, it was put deeper into the file so that it wouldn't be easy to find. Socket's AI Scanner flagged the hidden second-stage loader from FUNNULL-operated infrastructure (Source: socket) Three themes were found that sent victims' current page URLs to userstat[. ]net, which effectively leaked their browsing activity. Another payload in theme-dy downloaded a second-stage script from union[.]macoms[.

]la, which many security researchers have linked to FUNNULL Technology.

The second stage of code looked at mobile users, checking things like the type of platform, the local time, the referrer data, cookies, and even whether the visitor was likely to be an analyst or site administrator. If the conditions were met, users were sent to pages with gambling or adult content. The redirect used a window.location.replace() makes it hard for the browser's back button to go back to the original page.

Other themes used different payloads. One added ads to desktops and mobile devices, while the other took over clicks by opening the real link in a new tab and sending the current page to an ad destination. One theme made full-screen overlay ads, and the other used anti-debugging tricks to stop inspection and send analysts to a different page.

Why This Threat to the Supply Chain Is Important The campaign shows that theme and plugin ecosystems can be dangerous for the software supply chain. These packages looked like regular OphimCMS themes and even linked to the real OphimCMS project in their README files, probably to gain trust. The Git commit history for theme-dy shows that both binhnguyen1998822 (June–July 2024) and phantom0803 (December 2025) made changes.

This proves that both accounts can write to the ophimcms organization (Source: socket). Socket researchers also found connections between two GitHub accounts that were both working on the same package set. This could mean that the two accounts were working together or that one person was using more than one identity. Packagist Themes Ship Malware (Source: socket) The effect is bad because the bad code runs in the visitor's browser, not just on the site owner's computer.

That means that every person who loads an infected theme socket may have their URLs stolen, ads added, clicks hijacked, or redirects that they don't want. Name of the Package Name of the composer Malicious Behavior theme-dy ophimcms/theme-dy FUNNULL redirect, URL exfiltration, and analytics injection theme-mtyy ophimcms/theme-mtyy URL exfiltration theme-rrdyw ophimcms/theme-rrdyw URL exfiltration, ad injection, and analytics putting in theme-pcc ophimcms/theme-pcc Click hijacking and adding ads theme-motchill ophimcms/theme-motchill Ads that cover the whole screen theme-legend ophimcms/theme-legend Anti-debugging and redirect With about 2,750 installs across the six packages, the case is a reminder that developers must audit bundled JavaScript assets, not just backend code, before trusting third-party packages.