[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fB0E3kQOgzGwKUreiDFxpu552POMUPj5VCBYl8SqSaWU":3},{"article":4,"iocs":55},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":32,"category":33,"article_tags":37},"0ac3be9d-4035-4323-8ee8-2b073a8d6360","Laravel Lang Compromised with RCE Backdoor Across 700+ Versions","laravel-lang-compromised-with-rce-backdoor-across-700-versions-e18b82","A compromise affecting the community-maintained Laravel Lang project has introduced remote code execution backdoors across multiple packages in the organization, including laravel-lang\u002Flang, laravel-lang\u002Fhttp-statuses, laravel-lang\u002Fattributes , and laravel-lang\u002Factions across roughly 700+ historical versions. The affected packages are not part of the official Laravel framework. They are third-party localization packages used by Laravel applications. However, applications that installed compromised versions may have executed the backdoor automatically when Composer’s autoloader ran. Newly observed tag activity suggests the compromise was not isolated to a single package. Recently published tags appeared across multiple repositories in the same GitHub organization, including Laravel-Lang\u002Flang, Laravel-Lang\u002Fhttp-statuses, Laravel-Lang\u002Fattributes, and Laravel-Lang\u002Factions. The tags were published in rapid succession on May 22 and May 23, 2026, with many versions appearing only seconds apart. For example, Laravel-Lang\u002Flang tags across the 12.x, 13.x, 14.x, and 15.x lines were published in tight sequence on May 22, while Laravel-Lang\u002Fhttp-statuses and Laravel-Lang\u002Fattributes also saw rapid tag creation across historical versions during the same window. Laravel-Lang\u002Factions tags followed shortly after, continuing into May 23 UTC. Socket’s analysis of composer\u002Flaravel-lang\u002Flang@14.3.7 confirmed a malicious src\u002Fhelpers.php file registered in composer.json under autoload.files. In Composer packages, files listed under autoload.files are loaded automatically when the Composer autoloader runs, which means the malicious code can execute during normal application runtime. Coordinated Tag Activity Across Laravel Lang Repositories # The timing and pattern of the newly published tags point to a broader compromise of the Laravel Lang organization’s release process, rather than a single malicious package version. The observed activity includes rapid publication of historical tags across: Laravel-Lang\u002Flang Laravel-Lang\u002Fhttp-statuses Laravel-Lang\u002Fattributes Laravel-Lang\u002Factions Many of these tags were created seconds apart, a pattern that is unusual for normal package maintenance and consistent with automated mass tagging or republishing. The affected repositories belong to the same Laravel Lang GitHub organization, which suggests the attacker may have had access to organization-level credentials, repository automation, or release infrastructure. This is a developing story. We will publish more information as our investigation continues. Technical Breakdown The malicious activity is rooted in a file named src\u002Fhelpers.php. Because this file is registered in the composer.json under autoload.files, the backdoor is executed automatically on every PHP request handled by the compromised application. The infection sequence operates as follows: C2 Deobfuscation: The malware dynamically builds its Command and Control (C2) hostname (flipboxstudio[.]info) at runtime using character codes (array_map('chr', [...])) to evade static string analysis. Payload Retrieval: The script reaches out to https:\u002F\u002Fflipboxstudio[.]info\u002Fpayload. To guarantee a successful fetch even under interception or certificate issues, it explicitly disables TLS certificate verification and fakes a Mozilla User-Agent. Staging: The downloaded payload is written to a hidden temporary file located at sys_get_temp_dir()\u002F.laravel_locale\u002F. Remote Code Execution (RCE): The malware executes the downloaded file in the background via exec(\"php ...\") on Unix environments, or by generating and running a .vbs script via cscript on Windows systems. Key Threat Characteristics Evasion and Stealth: The script generates a unique per-host marker (an MD5 hash combining the directory path, system architecture, and inode) to ensure the payload only triggers once per machine. This prevents redundant executions and helps the malware remain undetected after the initial run. # This is a highly sophisticated, cross-platform (Linux, macOS, Windows) information stealer written in PHP. It acts as the second-stage payload delivered by the poisoned laravel-lang\u002Fattributes package. Rather than a simple backdoor, this script is a comprehensive credential-harvesting framework designed to systematically strip a compromised server or developer machine of virtually all sensitive data, encrypt it, and exfiltrate it to the C2 server. Here is a technical breakdown of the malware’s capabilities and execution flow: 1. Core Configuration & Orchestration Target C2: Hardcoded to https:\u002F\u002Fflipboxstudio.info\u002Fexfil. Encryption Key: Uses a hardcoded key (k9X2mP7vL4nQ8wR1) to XOR-encrypt the stolen data before exfiltration. Orchestration: The Stealer class initializes 17 distinct \"Collectors,\" each targeting a specific category of software, cloud infrastructure, or operating system secrets. 2. Reconnaissance & Data Harvesting (The Collectors) The malware uses a massive dictionary of Regular Expressions to scrape files, databases, and environment variables for API keys (AWS, GitHub, Stripe, Slack, Discord, JWTs, private keys, etc.). Its specific collectors include: Cloud & AWS (AwsCollector, CloudCollector): Queries cloud metadata endpoints (e.g., EC2 IMDS at 169.254.169.254) to steal IAM roles and instance identity documents. It also scrapes local configuration files for Azure, Google Cloud (gcloud), DigitalOcean, Heroku, Netlify, and Vercel. Container & Orchestration (K8sCollector): Steals Kubernetes Service Account tokens from \u002Fvar\u002Frun\u002Fsecrets\u002F..., local kubeconfig files, and Helm registry configurations. HashiCorp Vault (VaultCollector): Attempts to find Vault tokens via environment variables, files, or Kubernetes auth, and if successful, recursively queries the Vault API to dump Key-Value secrets. CI\u002FCD Pipelines (CiCdCollector): Targets build servers, extracting tokens and configurations from Jenkins (including the master.key and credentials.xml), GitLab Runners, GitHub Actions, CircleCI, TravisCI, and ArgoCD. Cryptocurrency (CryptoCollector): Scans for wallet data files (Bitcoin, Ethereum, Monero, etc.) and browser extension local storage (MetaMask, Phantom, Trust Wallet). It also scans desktop\u002Fdocument folders for plaintext files named seed.txt or recovery.txt. Browsers (BrowserCollector & ChromiumDecryptor): Extracts history, cookies, and login data from Chrome, Edge, Firefox, Brave, and Opera. Advanced Bypass: It contains a base64-encoded embedded Windows executable (DebugChromium.exe). The PHP script drops and executes this binary specifically to bypass Chrome v127+ App-Bound Encryption and extract the master decryption key. Firefox is decrypted natively using NSS algorithms. Password Managers (PasswordManagerCollector): Targets local vaults and browser extension data for 1Password, Bitwarden, LastPass, KeePass, Dashlane, and NordPass. System & Processes (ProcessCollector, WindowsCredentialCollector): * Linux: Reads \u002Fproc\u002F[pid]\u002Fenviron and \u002Fproc\u002F[pid]\u002Fcmdline to steal secrets passed via command-line arguments to running processes. Windows: Dumps the Windows Credential Manager (cmdkey), Vault credentials (vaultcmd), .rdp files, and PuTTY\u002FWinSCP saved sessions (including native decryption of WinSCP passwords). Communications & FTP (MessagingCollector, FtpCollector, EmailCollector): Extracts session tokens from Discord and Slack leveldb storage. Dumps profiles from Outlook, Thunderbird, and popular FTP clients (FileZilla, WinSCP, CoreFTP), often reversing weak proprietary encoding\u002FXOR obfuscation. Files & Local Configurations (FileCollector): Scours Windows, macOS, and Linux paths for high-value configuration and credential files, including Docker auth tokens, SSH private keys, Git credentials, shell history files, database history files, Kubernetes cluster configurations, .env files, wp-config.php, and docker-compose.yml. Environment Variables (EnvCollector): Captures environment variables loaded into the PHP process and filters for sensitive keys containing terms like KEY, SECRET, API, TOKEN, PASSWORD, AWS_, AZURE_, GCP_ ,STRIPE_, and more, then applies regex patterns to extract recognizable credential formats. Source Control (GitCollector): Extracts source control credentials from global and local .gitconfig files, .git-credentials, and .netrc files. It parses embedded HTTP basic auth credentials and SSH host configurations associated with GitHub, GitLab, and Bitbucket. VPN Clients (VpnCollector): Collects VPN configuration and saved login files for OpenVPN, WireGuard, NetworkManager, and commercial VPNs such as NordVPN, ExpressVPN, CyberGhost, and Mullvad. It parses .ovpn and .conf files to extract embedded usernames, passwords, or referenced auth-user-pass credential files. # We're tracking this supply chain attack on a dedicated campaign page: socket.dev\u002Fsupply-chain-attacks\u002Flaravel-lang-compromise Unknown block type \"supplyChainAttackPackages\", specify a component for it in the `components.types` option Remediation # Teams using affected Laravel Lang packages should treat impacted systems as potentially compromised, not just exposed. Check composer.lock for laravel-lang\u002Flang, laravel-lang\u002Fhttp-statuses, and laravel-lang\u002Fattributes, and block these packages until clean versions are confirmed. Because the payload targets cloud metadata, Kubernetes tokens, Vault, CI\u002FCD systems, browser data, password managers, source control credentials, VPN configs, SSH keys, .env files, and local application configs, affected teams should rotate any secrets available to hosts, containers, CI runners, or developer machines that installed or ran the compromised packages. Prioritize rotation of cloud credentials, Kubernetes Service Account tokens, Vault tokens, CI\u002FCD secrets, GitHub\u002FGitLab\u002FBitbucket tokens, SSH keys, Docker registry tokens, Laravel APP_KEY, database credentials, API keys, webhook secrets, and credentials stored in environment variables. Rebuild affected hosts, containers, and CI runners from known-good images where possible. Preserve logs and package artifacts before cleanup, including composer.lock, Composer cache contents, deployment logs, process execution logs, network\u002FDNS logs, cloud audit logs, Kubernetes audit logs, and temp directory contents. Indicators of Compromise # Packages: laravel-lang\u002Flang, laravel-lang\u002Fhttp-statuses, laravel-lang\u002Fattributes Domain: flipboxstudio[.]info Payload URL: https:\u002F\u002Fflipboxstudio[.]info\u002Fpayload Malicious file: src\u002Fhelpers.php Composer autoload entry: autoload.files → src\u002Fhelpers.php Temp path: sys_get_temp_dir()\u002F.laravel_locale\u002F Cloud metadata access: 169.254.169.254 Windows artifact: DebugChromium.exe Suspicious behavior: background php execution, cscript execution, dropped .php or VBS files, reads from \u002Fvar\u002Frun\u002Fsecrets\u002F, reads from \u002Fproc\u002F[pid]\u002Fenviron, and outbound requests to flipboxstudio[.]info","The community-maintained Laravel Lang project was compromised, introducing remote code execution backdoors across multiple packages. The malicious code, located in src\u002Fhelpers.php, executes automatically and steals sensitive data, exfiltrating it to a C2 server at flipboxstudio[.]info.","Compromised Laravel Lang project introduced RCE backdoors in 700+ versions.","Research\u002FSecurity NewsMalicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and PasswordsA malicious NuGet package impersonating Sicoob exfiltrated client IDs, PFX passwords, and banking certificates through Sentry telemetry. By Kirill Boychenko - May 28, 2026","https:\u002F\u002Fsocket.dev\u002Fblog\u002Flaravel-lang-compromise?utm_medium=feed","https:\u002F\u002Fcdn.sanity.io\u002Fimages\u002Fcgdhsj6q\u002Fproduction\u002F0a717c4d21279ed2770c10f0e6e35b9dd2dde30c-698x531.png?w=1000&q=95&fit=max&auto=format","2026-05-23T03:08:09.523+00:00","2026-05-23T04:00:28.457936+00:00",9,[18,21,23,26,28,30],{"name":19,"type":20},"Laravel Lang","product",{"name":22,"type":20},"Laravel",{"name":24,"type":25},"Composer","technology",{"name":27,"type":25},"PHP",{"name":29,"type":25},"Kubernetes",{"name":31,"type":25},"Docker","26b0b636-0e31-4db1-bffb-61bdf9f20a58",{"id":32,"icon":34,"name":35,"slug":36},null,"Supply Chain","supply-chain",[38,40,45,50],{"category":39},{"id":32,"icon":34,"name":35,"slug":36},{"category":41},{"id":42,"icon":34,"name":43,"slug":44},"80544778-fabb-4dcd-aa35-17492e5dcf4f","Vulnerabilities","vulnerabilities",{"category":46},{"id":47,"icon":34,"name":48,"slug":49},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":51},{"id":52,"icon":34,"name":53,"slug":54},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",[56,60,64,67,71],{"type":57,"value":58,"context":59},"domain","flipboxstudio[.]info","C2 domain",{"type":61,"value":62,"context":63},"url","https:\u002F\u002Fflipboxstudio[.]info\u002Fpayload","Payload URL",{"type":61,"value":65,"context":66},"https:\u002F\u002Fflipboxstudio.info\u002Fexfil","Exfiltration URL",{"type":68,"value":69,"context":70},"ip","169.254.169.254","Cloud metadata access",{"type":49,"value":72,"context":73},"DebugChromium.exe","Windows artifact"]