A malicious JavaScript loader was appended to `tailwind.js` in the Packagist dev version `dev-drewroberts/feature/test-case` of the legitimate PHP package `roberts/leads`. Socket assesses the activity as likely tied to Famous Chollima and consistent with a Contagious Interview-style developer lure, because the compromise was limited to a dev/test branch that a target could be instructed to install during a fake coding task. The loader uses TRON, Aptos, and BNB Smart Chain infrastructure as a dead-drop mechanism, decrypts remote payload material with hardcoded XOR keys, executes it with `eval()`, and can spawn a hidden detached Node.js process. The visible loader does not directly exfiltrate data, but the fetched payload could access environment variables, local files, Git credentials, package tokens, and CI/cloud secrets.