Security notice: malicious JavaScript observed in Packagist dev version dev-drewroberts/feature/test-case

[socket-threat-research-team]

Hi Drew,

Socket threat research team here. We identified what appears to be malicious obfuscated JavaScript appended to tailwind.js in the Packagist dev version dev-drewroberts/feature/test-case of roberts/leads, which maps to the GitHub branch drewroberts/feature/test-case.

The suspicious code appears after the normal Tailwind config and is also visible in the package file view here:

https://socket.dev/composer/package/roberts/leads/files?version=dev-drewroberts%2Ffeature%2Ftest-case&path=roberts-leads-6c5c3c7%2Ftailwind.js (also in https://github.com/roberts/leads/blob/drewroberts/feature/test-case/tailwind.js).

Based on our analysis, this appears to be a blockchain-C2 JavaScript malware loader. The loader retrieves encrypted payloads via TRON/Aptos/BSC infrastructure, decrypts them, executes them with eval(), and can spawn a detached hidden Node process.

We scanned the available Git refs/tags and believe the malicious code is isolated to this dev/test branch and does not appear in the stable tagged releases. This looks like a poisoned branch or repository/account compromise workflow.

We are opening this public issue to make sure you are aware and to preserve a clear reporting record. We will also send details privately to the security contact listed for the repository.

Recommended immediate actions:

1. Remove or quarantine the drewroberts/feature/test-case branch and the corresponding Packagist dev version.
2. Review recent GitHub account, token, OAuth app, and repository access activity.
3. Review Packagist hooks/tokens and package auto-update configuration.
4. Rotate any potentially exposed GitHub/Packagist credentials.
5. Preserve the current branch, commit, and file contents for incident review before deletion if possible.

Thank you for your attention to this,
Socket Threat Research team