Executive Summary
A critical supply chain attack has compromised the integrity of several Laravel Lang PHP localization packages, resulting in the widespread deployment of advanced credential-stealing malware. The threat actors exploited the GitHub version tagging mechanism to inject malicious code into every version tag across multiple repositories, thereby impacting a vast number of developers and organizations globally. The malware is engineered to exfiltrate a comprehensive array of sensitive credentials and secrets from affected systems, including cloud provider keys, infrastructure tokens, developer secrets, browser-stored passwords, and cryptocurrency wallets. This incident underscores the escalating sophistication of supply chain attacks targeting open-source ecosystems and highlights the urgent need for robust dependency management and vigilant monitoring.
Threat Actor Profile
The actors behind the Laravel Lang supply chain compromise have demonstrated a high degree of technical acumen and operational security. By leveraging GitHub’s tag rewriting capabilities, they managed to redirect every existing version tag in the affected repositories to malicious commits under their control, without altering the main branches. This approach enabled the attackers to evade conventional code review and detection mechanisms. While there is no direct attribution to a known Advanced Persistent Threat (APT) group as of this report, the tactics, techniques, and procedures (TTPs) align with those observed in sophisticated supply chain campaigns. The operation’s focus on credential theft and broad targeting suggests a financially motivated or state-sponsored actor with a deep understanding of the open-source software supply chain.
Technical Analysis of Malware/TTPs
The attack targeted the following Laravel Lang packages: laravel-lang/lang, laravel-lang/attributes, laravel-lang/http-statuses, and laravel-lang/actions. The adversary rewrote every git tag in these repositories to point to a malicious commit in a fork they controlled. This manipulation meant that any installation or update of these packages via Composer after 2026-05-22 22:32 UTC would fetch and execute the attacker’s payload.
The initial infection vector is a dropper embedded in the src/helpers.php file. This dropper defines innocuous-looking functions but contains a self-executing block that fingerprints the host using file path, hostname, and inode information. It writes a marker file to the system’s temporary directory to prevent reinfection and decodes the command-and-control (C2) domain flipboxstudio[.]info at runtime to evade static analysis. The dropper then fetches a secondary payload from flipboxstudio[.]info/payload, bypassing SSL verification.
On Windows systems, the dropper writes a .vbs launcher and executes it via cscript, while on Linux and macOS, it executes the payload in the background using exec(). The secondary payload is a sophisticated credential stealer, comprising approximately 5,900 lines of PHP code organized into 15 modules. This stealer encrypts exfiltrated data using AES-256 and transmits it to flipboxstudio[.]info/exfil. After execution, the malware self-deletes to hinder forensic analysis.
The malware is capable of harvesting a wide spectrum of sensitive data, including but not limited to: cloud provider credentials (AWS, GCP, Azure, DigitalOcean, Heroku, Vercel, Netlify, Railway, Fly.io), infrastructure secrets (Kubernetes configs, HashiCorp Vault tokens, Helm, Docker), developer credentials (SSH keys, .git-credentials, .netrc, .npmrc, .yarnrc, .pypirc, .gem/credentials, .composer/auth.json, GitHub/GitLab/Hub CLI tokens, shell history, .env files), browser and password manager data (Chromium-based browsers, Firefox, Thunderbird, KeePass, 1Password, Bitwarden), cryptocurrency wallets (Bitcoin, Ethereum, Monero, Litecoin, Dash, Dogecoin, Zcash, Electrum, Exodus, Atomic, Ledger Live, Trezor, Wasabi, Sparrow, MetaMask, Phantom, Trust Wallet, Ronin, Keplr, Solflare, Rabby), Windows-specific secrets (Windows Credential Manager, PuTTY, WinSCP, RDP files, Outlook profiles), communication platform tokens (Slack, Discord, Telegram), and VPN configurations (NordVPN, ExpressVPN, ProtonVPN, CyberGhost, PIA, Windscribe, Mullvad, Surfshark, WireGuard, OpenVPN).
The malware’s operational security is further enhanced by its use of runtime domain decoding, encrypted exfiltration, and self-deletion, making detection and post-infection analysis significantly more challenging.
Exploitation in the Wild
The compromise was first detected by Aikido Security on May 22, 2026. The malicious activity was rapidly reported to the Laravel Lang maintainers and Packagist, leading to the takedown of malicious versions and temporary unlisting of the affected packages. The attackers’ use of Composer’s autoloader and GitHub’s tag system enabled the stealthy distribution of hundreds of malicious versions, impacting any developer or CI/CD pipeline that installed or updated the compromised packages during the attack window.
The attack window began at 2026-05-22 22:32 UTC, and all installations or updates of the affected packages after this time are considered at risk. The scale of the attack is significant, given the popularity of the Laravel Lang ecosystem and its integration into numerous enterprise and open-source projects.
Victimology and Targeting
The attack indiscriminately targeted all users of the affected Laravel Lang packages, including individual developers, small businesses, and large enterprises. The broad targeting strategy is evidenced by the rewriting of every version tag in the repositories, ensuring that any installation or update would result in compromise. The malware’s capability to harvest a diverse array of credentials and secrets indicates an intent to maximize the value of exfiltrated data, whether for direct financial gain, further intrusion, or resale on underground markets.
Organizations with automated CI/CD pipelines, frequent dependency updates, or reliance on Composer for PHP package management are particularly at risk. The inclusion of modules targeting cloud infrastructure, developer tools, and cryptocurrency wallets suggests that the attackers anticipated a wide range of potential victims, from SaaS providers and DevOps teams to fintech and blockchain projects.
Mitigation and Countermeasures
Immediate action is required to contain and remediate this supply chain compromise. All systems and CI/CD pipelines should be audited for the presence of the affected Laravel Lang package versions. Any compromised versions must be removed and replaced with clean, verified releases. It is imperative to rotate all credentials and secrets that may have been exposed, including cloud provider keys, infrastructure tokens, developer credentials, and any other sensitive data stored on affected systems.
Network monitoring should be implemented to detect connections to flipboxstudio[.]info and related indicators of compromise (IOCs). Forensic analysis should be conducted to identify signs of secondary compromise or lateral movement within the environment.
Long-term, organizations should enforce strict dependency pinning and verification in Composer and other package managers to prevent inadvertent installation of malicious versions. Monitoring for suspicious version tags and fork activity in critical repositories is recommended, as is the implementation of runtime monitoring for credential access and exfiltration attempts. Security teams should also consider integrating supply chain risk management tools and processes to enhance visibility and control over third-party dependencies.
References
Aikido Security: Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer – https://www.aikido.dev/blog/supply-chain-attack-targets-laravel-lang-packages-with-credential-stealer
StepSecurity: Laravel-Lang Supply Chain Attack – https://www.stepsecurity.io/blog/laravel-lang-supply-chain-attack
BleepingComputer Coverage – https://www.bleepingcomputer.com/news/security/laravel-lang-packages-hijacked-to-deploy-credential-stealing-malware/amp/
Reddit Discussion – https://www.reddit.com/r/cybersecurity/comments/1tls499/laravel_lang_packages_hijacked_to_deploy/
The Hacker News – https://thehackernews.com/2026/05/laravel-lang-php-packages-compromised.html
LinkedIn Post – https://www.linkedin.com/posts/the-cyber-security-hub_laravel-lang-packages-hijacked-to-deploy-activity-7464055366364872704-j_LG
YCombinator News – https://news.ycombinator.com/item?id=48251938
About Rescana
Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain. Our advanced analytics and continuous monitoring capabilities empower security teams to proactively identify and address vulnerabilities in their vendor ecosystem, ensuring robust protection against emerging threats. For more information about our solutions or to discuss your organization’s cybersecurity needs, please contact us at ops@rescana.com.
