Laravel-Lang Packages Poisoned for Malware Delivery

Summary

Attackers compromised the Laravel-Lang organization's release process and poisoned four popular Composer packages (laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, laravel-lang/actions) by creating malicious Git tags across over 700 historical versions. The malware-laden tags contained a backdoor in src/helpers.php that fingerprints machines, connects to a C&C domain (flipboxstudio[.]info), and harvests AWS/GCP/Azure credentials, Docker/Kubernetes configs, SSH keys, browser data, and CI/CD secrets. The attack exploited GitHub's feature allowing tags to point to commits in forked repositories, making the malicious code invisible in official repos.

Full text

Four popular Composer packages maintained by the Laravel-Lang organization were poisoned with malware after hackers rewrote all their Git tags, security researchers warn. The affected packages, namely laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions, are third-party localization libraries used by Laravel applications. The Laravel-Lang supply chain attack started on May 22. During a 15-minute window, the attackers published malicious version tags across three of the packages, StepSecurity says. By 00:00 UTC, May 23, all four packages had been poisoned. “The timing and pattern of the newly published tags point to a broader compromise of the Laravel Lang organization’s release process, rather than a single malicious package version,” Socket notes. According to the supply chain security firm, the malicious tags were published across over 700 historical versions of the four packages, potentially impacting all applications that fetched updates for them or installed them fresh. “What makes this particularly sneaky is that the malicious code was never committed to the official repos at all. GitHub allows version tags to point to commits from a fork of the same repository. The attacker exploited this to create tags pointed to commits in a malicious fork they controlled,” Aikido Security explains.Advertisement. Scroll to continue reading. The malicious version tags contained a file named src/helpers.php, posing as a Laravel localization helper. The code fingerprints the machine, then connects to the command-and-control (C&C) domain flipboxstudio[.]info to fetch a PHP credential stealer and execute it in the background. The malware was designed to harvest cloud keys and tokens (including AWS, GCP, and Azure), Docker and Kubernetes configurations, HashiCorp Vault tokens, Helm repository configurations, SSH private keys, developer credentials, authentication tokens, shell history files, and credential-storing files. Additionally, the malware would target credentials stored in browsers and password managers, cryptocurrency wallets and extensions, various communication platforms, VPN configuration files, and various high-value configuration and credential files across Windows, Linux, and macOS systems. Organizations and users alike are advised to block the affected packages and treat any systems that installed them as potentially compromised. They should also confirm the availability of clean versions and install them. “Because the payload targets cloud metadata, Kubernetes tokens, Vault, CI/CD systems, browser data, password managers, source control credentials, VPN configs, SSH keys, .env files, and local application configs, affected teams should rotate any secrets available to hosts, containers, CI runners, or developer machines that installed or ran the compromised packages,” Socket notes. Related: Over 5,500 GitHub Repositories Infected in ‘Megalodon’ Supply Chain Attack Related: Grafana Says Codebase and Other Data Stolen via TanStack Supply Chain Attack Related: Over 320 NPM Packages Hit by Fresh Mini Shai-Hulud Supply Chain Attack Related: Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Grafana Says Codebase and Other Data Stolen via TanStack Supply Chain AttackCisco Patches Critical Vulnerability in Secure WorkloadApple Rejected 2 Million App Store Submissions in 2025 for Security and Fraud PreventionSocket Raises $60 Million at $1 Billion ValuationMicrosoft Patches Exploited UnDefend and RedSun Defender Zero-DaysMicrosoft Rolls Out Mitigations for ‘YellowKey’ BitLocker BypassOver 320 NPM Packages Hit by Fresh Mini Shai-Hulud Supply Chain AttackGitHub Confirms Hack Impacting 3,800 Internal Repositories Latest News 266,000 Affected by Data Breach at Radiology Associates of RichmondAnthropic: Mythos Detected 23,000 Potential Vulnerabilities Across 1,000 OSS ProjectsDocketWise Data Breach Impacts 143,000Over 5,500 GitHub Repositories Infected in ‘Megalodon’ Supply Chain Attack‘Underminr’ Vulnerability Lets Attackers Hide Malicious Connections Behind Trusted DomainsDrupal Vulnerability in Hacker Crosshairs Shortly After DisclosureIn Other News: Industrial Router Exploitation, CISA KEV Nomination Form, Gas Station HackingCanadian Man Arrested for Operating Kimwolf Botnet Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register Webinar: Third-Party Risk in Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register People on the MoveJoe Chen has become Chief Technology Officer at Trellix.Usercentrics has named Pawan Hegde as COO and Elena Ignatova as CPTO.SecureAuth has named Mark van Oppen as Chief Revenue Officer.More People On The MoveExpert Insights Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Cyber Resilience is the New Business Continuity Plan The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin) Enhancing Data Center Security Without Sacrificing Performance For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael) Is the SOC Obsolete, and We Just Haven’t Admitted It Yet? Many AI-first enterprises have already embraced sovereign architectures for general AI initiatives; cybersecurity—and the SOC—should be next. (Danelle Au) The Mythos Moment: Enterprises Must Fight Agents with Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• domain — flipboxstudio[.]info
• malware — Laravel-Lang backdoor (src/helpers.php)

Entities