Laravel-Lang PHP Packages Targeted in Massive Supply Chain Attack, Deploying Credential Stealer Across Platforms
In a significant cybersecurity breach, researchers have identified a new software supply chain attack targeting multiple PHP packages associated with Laravel-Lang. This campaign aims to deliver a sophisticated credential-stealing framework, raising alarms about the vulnerabilities within widely used software ecosystems.
Overview of the Attack
The compromised packages include:
- laravel-lang/lang
- laravel-lang/http-statuses
- laravel-lang/attributes
- laravel-lang/actions
The rapid succession of newly published tags on May 22 and 23, 2026, indicates a broader compromise of the Laravel Lang organization’s release process, rather than a single malicious package version. According to Socket, a cybersecurity firm, the tags were published in quick succession, with many versions appearing only seconds apart.
More than 700 versions of these packages have been identified, suggesting automated mass tagging or republishing. Investigators suspect that the attackers gained access to organization-level credentials, repository automation, or release infrastructure.
Technical Details of the Malicious Code
The core malicious functionality resides in a file named src/helpers.php, embedded within the version tags. This file is designed to fingerprint the infected host and connect to an external server, flipboxstudio[.]info, to retrieve a PHP-based cross-platform payload that operates on Windows, Linux, and macOS.
The attacker integrated src/helpers.php into the autoload.files map of each compromised package. As a result, every Laravel application that calls require __DIR__.'/vendor/autoload.php' during startup inadvertently executes the payload. This execution occurs without the need for class instantiation or method calls, making it particularly insidious.
Aikido Security reports that the dropper delivers a Visual Basic Script launcher on Windows, executing it via cscript. On Linux and macOS, the payload is executed using exec().
Implications of the Attack
The backdoor created by the malicious code is executed automatically on every PHP request handled by the compromised application. The script generates a unique per-host marker, an MD5 hash combining the directory path, system architecture, and inode, ensuring that the payload triggers only once per machine. This mechanism prevents redundant executions and helps the malware evade detection after its initial run.
The credential stealer is capable of harvesting a wide range of sensitive data from compromised systems, which is then exfiltrated to the same external server. This includes:
- IAM roles and instance identity documents by querying cloud metadata endpoints
- Google Cloud application default credentials
- Microsoft Azure access tokens and service principal profiles
- Kubernetes Service Account tokens and Helm registry configurations
- Authentication tokens for various cloud platforms including DigitalOcean, Heroku, and Vercel
- Tokens and configurations from CI/CD tools like Jenkins and GitHub Actions
- Cryptocurrency wallet seed phrases and associated files
- Browser history, cookies, and login data from major web browsers
- Local vaults and data from password managers
- Configuration and credential files containing sensitive information
The payload itself is a substantial PHP credential stealer, comprising approximately 5,900 lines of code organized into fifteen specialized collector modules. After collecting data, it encrypts the results using AES-256 encryption and sends them to the designated server. Following this, it deletes itself from the disk to limit forensic evidence.
Broader Context and Industry Impact
This incident underscores the vulnerabilities inherent in software supply chains, particularly in open-source ecosystems where trust is paramount. The Laravel-Lang packages are widely utilized in PHP applications, making this attack particularly concerning for developers and organizations relying on these tools.
The rapid evolution of such attacks highlights the need for enhanced security measures within software development practices. Organizations must prioritize securing their release processes and implementing robust monitoring systems to detect unusual activities.
As the cybersecurity landscape continues to evolve, the implications of this attack extend beyond the immediate threat. It serves as a reminder of the importance of vigilance and proactive measures in safeguarding sensitive information and maintaining the integrity of software supply chains.
For further details on the attack and its implications, refer to the original reporting source: thehackernews.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
