Laravel Lang packages hijacked to deploy credential-stealing malware

The Laravel-Lang Supply Chain Attack: A GitHub Tag Exploit and Its Impact on Open-Source Security

The recent supply chain attack targeting Laravel-Lang packages has drawn attention due to its novel methodology and widespread potential impact. While Laravel developers are aware of the incident, many often wonder if laravel-lang constitutes an "official" Laravel dependency. It is not part of the core framework, yet its widespread adoption often leads to it being treated as such. This ambiguity, combined with the attack's specific methodology, highlights a significant weakness in our implicit trust model for open-source components.

The incident involved a sophisticated supply chain compromise, affecting over 700 versions and deploying credential-stealing malware. Security firms and Packagist rapidly responded to the incident.

Unpacking the GitHub Tag Manipulation Attack

On May 22, 2026, a threat actor compromised four widely used Composer packages maintained by the Laravel-Lang organization: laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. The method employed was significantly more subtle and difficult to detect than typical attacks involving new, overtly malicious version releases. This approach aligns with MITRE ATT&CK technique T1195.002, "Compromise Software Supply Chain," due to its manipulation of trusted software components.

The attacker systematically rewrote every existing Git tag within these repositories. For instance, a specific tag previously pointing to a legitimate commit was redirected to a malicious one. This operation occurred between 22:32 UTC on May 22, 2026, and 00:00 UTC on May 23, 2026, affecting over 700 tags across the four packages.

Several security firms quickly identified the anomaly. Packagist, the primary Composer package repository, responded by delisting the malicious versions and temporarily unlisting the affected packages. Though this swift action contained further spread, many projects had already incorporated the compromised code prior to the takedown.

Dissecting the Attack Chain: From Access to Exfiltration

The attack chain unfolded as follows:

• Initial Access: The initial access likely involved a compromised organization-level credential with push access to the GitHub repositories, a technique categorized under MITRE ATT&CK T1078 for Valid Accounts. This type of valid account compromise is a common initial access vector in supply chain attacks.
• Tag Manipulation: The attacker exploited a GitHub feature allowing version tags to reference commits from a fork, rather than exclusively commits within the main repository. They established a malicious fork, pushed their payload, and then redirected all existing tags in the official repositories to their forged commits. This technique is subtle because the tag appears legitimate, even though it points to malicious underlying code.
• The Dropper (src/helpers.php): The malicious commit introduced src/helpers.php, registered under autoload.files in composer.json. This configuration ensures the code in src/helpers.php executes automatically when vendor/autoload.php is required, a common event in Laravel and Symfony applications. This bypasses explicit class instantiation, ensuring immediate execution.
• Host Fingerprinting and Evasion: Upon execution, src/helpers.php fingerprints the compromised machine using a hash derived from the file path, hostname, and inode. A marker file is then written to the system's temporary directory. This mechanism limits payload execution to once per machine, primarily aiding in persistence evasion and preventing detection by repeated activity.
• Payload Fetch (MITRE ATT&CK T1071.001): The dropper initiates an outbound connection to flipboxstudio[.]info/payload to retrieve the second-stage stealer payload. The command-and-control (C2) domain, flipboxstudio[.]info/payload, was a typosquat of the legitimate flipboxstudio.com – a common masquerading technique (MITRE ATT&CK T1036.003). The payload retrieval uses file_get_contents or curl. Notably, SSL verification was disabled.
• Stealer Execution:
  • Windows: A .vbs launcher is deployed, executing the payload silently via cscript.
  • Linux/macOS: The payload executes in the background using exec(), frequently reparenting to init (PID 1) to hinder process tracing (MITRE ATT&CK T1036.004).
• The Stealer: The core stealer, a substantial PHP script comprising fifteen specialized collector modules, targets a wide array of credentials (MITRE ATT&CK T1555). Collected data is encrypted with AES-256 (MITRE ATT&CK T1560.001) prior to exfiltration to flipboxstudio[.]info/exfil.
• Self-Deletion: Following exfiltration, the stealer removes itself and associated artifacts from disk within seconds. This tactic significantly complicates forensic analysis, leaving minimal evidence and hindering artifact recovery in incident response.

Assessing the Full-Spectrum Credential Compromise

The breadth of data targeted by this stealer is extensive. Any project that executed composer update on or after May 22, 2026, and incorporated one of the affected packages, must be treated as compromised, as all secrets accessible within that environment are at risk.

The targeted data includes:

• Cloud Credentials (MITRE ATT&CK T1555.007): AWS access keys, GCP application default credentials, Azure tokens, DigitalOcean, Heroku, Vercel, Netlify, Railway, Fly.io authentication tokens, and live EC2 instance metadata.
• Infrastructure Secrets: All kubeconfig files (e.g., /etc/kubernetes/admin.conf), HashiCorp Vault tokens, Helm configurations, and Docker config.json.
• Developer Credentials (MITRE ATT&CK T1555.004, T1555.008, T1555.009): SSH private keys, .git-credentials, .gitconfig, .netrc, .npmrc, .yarnrc, .pypirc, .gem/credentials, .composer/auth.json, and GitHub/GitLab/Hub CLI tokens. This also includes shell history for bash, zsh, psql, mysql, python, node, along with all .env files and common configuration files such as wp-config.php, settings.py, docker-compose.yml, and secrets.yaml.
• Browsers and Password Managers (MITRE ATT&CK T1555.003, T1555.005, T1555.006): Saved passwords from Chromium-based browsers (e.g., Chrome, Edge, Brave, Opera), Firefox logins.json and key4.db. Local vault files for KeePass, 1Password, and Bitwarden are targeted. On Windows, an executable is dropped to decrypt Chrome's DPAPI-protected login database.
• Cryptocurrency Wallets: Files associated with various cryptocurrency wallets, including desktop applications like Electrum, Exodus, and Atomic, as well as browser extension wallets such as MetaMask, Phantom, and Trust Wallet.
• Windows-Specific: Credential Manager, PuTTY/WinSCP sessions (including active decryption), .rdp files, and Outlook profiles and credentials.
• Communication Platforms: Slack, Discord, and Telegram bot tokens.
• VPN Configurations: Configurations and credentials for NordVPN, ExpressVPN, ProtonVPN, CyberGhost, Private Internet Access, Windscribe, Mullvad, Surfshark, WireGuard, and OpenVPN.

This incident represents a full-spectrum credential harvest, extending beyond isolated API key compromises. For organizations utilizing CI/CD pipelines that incorporate these packages, CI provider tokens, GitHub Personal Access Tokens (PATs), container registry credentials, and deploy keys are all exposed.

Immediate Mitigations and Post-Compromise Remediation

Packagist's rapid delisting of the packages was a critical containment measure. For developers, the post-compromise remediation effort is substantial.

• Assume Compromise: Any environment that utilized an affected laravel-lang package and executed composer update on or after May 22, 2026, must be treated as compromised, and all secrets within that environment should be considered exposed.
• Rotate All Credentials: Immediately rotate all cloud credentials, SSH keys, API tokens, database passwords, and any other potentially exposed secrets; this action is mandatory.
• System Inspection for Indicators of Compromise (IoCs):
  • Network: Monitor for connections to flipboxstudio.info, indicative of payload fetching or exfiltration.
  • Filesystem: Search for the marker file <tmp>/.laravel_locale/<md5_hash> or any transient stealer files, acknowledging their rapid self-deletion.
  • Processes: On Linux, identify orphaned php or unnamed ELF processes with a parent PID of 1.
  • Git: Review local Git history for commits authored by "Your Name" <you@example.com> with timestamps between 2026-05-22 22:32 UTC and 2026-05-23 00:00 UTC, specifically those altering composer.json and src/helpers.php.
• Pin Dependencies to Specific SHAs: This incident highlights the critical need to pin dependencies to specific commit SHAs, rather than relying solely on version ranges. While a composer.lock file referencing a pre-attack SHA might offer protection if only composer install is executed, using version ranges with composer update will pull the malicious code. Consider tools like Dependabot or Renovate configured for strict SHA pinning.
• Enhanced Dependency Vetting: This attack underscores the need for more rigorous vetting of open-source dependencies, even those widely adopted and perceived as 'official'. Developers should assess maintainer security practices and integrate tools like OpenSSF Scorecard or Sigstore for integrity verification. Regularly running composer validate --strict can also catch manifest anomalies.

This incident, rather than being a zero-day exploit within Laravel itself, represented a sophisticated manipulation of the trust model inherent in open-source package management and GitHub's tagging features. The attacker's decision to rewrite existing tags, rather than simply introducing new ones, significantly enhanced its stealth. This event emphasizes the heightened need for increased vigilance regarding project dependencies. Even widely adopted packages can serve as attack vectors if maintainer accounts are compromised. The security of applications is directly tied to the integrity of their supply chain; even a single Git tag pointing to an incorrect commit can introduce severe vulnerabilities.