THREATNOIR
Subscribe
Back to Feed
Supply ChainMay 23, 2026

Laravel Lang Compromised with RCE Backdoor Across 700+ Versions

Compromised Laravel Lang project introduced RCE backdoors in 700+ versions.

Read at source

Summary

The community-maintained Laravel Lang project was compromised, introducing remote code execution backdoors across multiple packages. The malicious code, located in src/helpers.php, executes automatically and steals sensitive data, exfiltrating it to a C2 server at flipboxstudio[.]info.

Full text

Research/Security NewsMalicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and PasswordsA malicious NuGet package impersonating Sicoob exfiltrated client IDs, PFX passwords, and banking certificates through Sentry telemetry. By Kirill Boychenko - May 28, 2026

Indicators of Compromise

  • domain — flipboxstudio[.]info
  • url — https://flipboxstudio[.]info/payload
  • url — https://flipboxstudio.info/exfil
  • ip — 169.254.169.254
  • malware — DebugChromium.exe

Entities

Laravel Lang (product)Laravel (product)Composer (technology)PHP (technology)Kubernetes (technology)Docker (technology)