By rssfeeds-admin A sophisticated software supply chain attack has successfully compromised the Laravel-Lang ecosystem, impacting hundreds of package versions and exposing developers to severe credential theft.
On May 22, 2026, security researchers from Aikido Security and Socket disclosed an active campaign that exploited GitHub’s version-tagging system to inject remote code execution (RCE) backdoors into widely used third-party localization packages.
The attackers successfully compromised over 700 historical version tags across multiple repositories within the community-maintained Laravel Lang project, including laravel-lang/lang, laravel-lang/attributes, and laravel-lang/http-statuses.
Rather than committing malicious code directly to the official repositories, the threat actors exploited a GitHub feature that allows version tags to point to commits from a fork.
Compromised Laravel-Lang Packages via GitHub Repo
By creating tags linked to a malicious fork they controlled, the attackers bypassed standard developer scrutiny, Socket said.
According to Socket’s analysis, the malicious activity is rooted in a file named src/helpers.php. Because this file was registered in composer.json under autoload.files, the backdoor executes automatically on every PHP request handled by the compromised application once Composer’s autoloader runs.
The initial dropper disguises itself as a routine localization helper. However, it contains a self-executing code block that fingerprints the host machine using an MD5 hash of the file path, hostname, and inode.
This ensures the malware only triggers once, dropping an infection marker in the system’s temporary directory (sys_get_temp_dir()/.laravel_locale/).
To evade static analysis, the dropper dynamically decodes its Command and Control (C2) hostname at runtime using character codes. It then reaches out to flipboxstudio[.]info/payload, turning off SSL verification to ensure the fetch succeeds even under interception.
On Linux and macOS, it executes the payload via exec(), while on Windows, it drops a .vbs launcher.
The second stage is a highly sophisticated, 5,900-line PHP information stealer orchestrated into 15 specialized collector modules, Aikido said.
Designed to systematically strip a compromised server or developer machine of virtually all sensitive data, according to Aikido, the malware encrypts the harvested intelligence with AES-256 before exfiltrating it to flipboxstudio[.]info/exfil.
The stealer targets a massive array of secrets, including:
- Cloud Infrastructure: AWS access keys, GCP default credentials, Azure tokens, Kubernetes
kubeconfigfiles, and HashiCorp Vault tokens. - Developer Secrets: SSH private keys,
.git-credentials,.envfiles, and CI/CD pipeline tokens from Jenkins, GitLab Runners, and GitHub Actions. - Browsers and Passwords: Saved logins from 17 Chromium-based browsers, KeePass databases, and 1Password vaults. On Windows, the malware drops
DebugChromium.exeto bypass Chrome’s App-Bound Encryption natively. - Cryptocurrency and Communications: Data from desktop wallets, browser extensions (e.g., MetaMask), Slack tokens, and Discord session files.
Indicators of Compromise (IOCs)
| Indicator Type | Indicator | Description |
|---|---|---|
| Domain | flipboxstudio[.]info | Primary C2 server for payload fetch and exfiltration. |
| URL | https://flipboxstudio[.]info/payload | Initial stage dropper fetch endpoint. |
| Network | 169.254.169.254 | Outbound requests to cloud metadata endpoints from suspicious processes. |
| File Path | <tmp>/.laravel_locale/<md5_hash> | Infection marker to prevent redundant execution. |
| File Path | sys_get_temp_dir()/.laravel_locale/ | Staging location for downloaded payload. |
| File | <tmp>/.laravel_locale/<12 random hex chars>.php | The dropped PHP stealer payload. |
| File | <tmp>/.laravel_locale/<8 random hex chars>.vbs | Windows launcher payload. |
| File | src/helpers.php | Malicious autoloaded file registered in composer.json. |
| Executable | DebugChromium.exe | Windows artifact used to bypass Chrome DPAPI protection. |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Packagist has temporarily unlisted the affected packages to prevent further installations. Security teams should immediately review composer.lock for laravel-lang/lang, laravel-lang/http-statuses, or laravel-lang/attributes and block those packages until verified clean versions are available.
Incident response teams should immediately rotate all cloud credentials, SSH keys, database passwords, and API keys accessible to the host.
Finally, affected hosts and CI/CD runners should be rebuilt using a known-good image, preserving logs and Composer cache contents for forensic analysis.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Threat Actor Compromised 233 Versions of Laravel-Lang Packages by Hacking 700 GitHub Repos appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.