A sophisticated software supply chain attack has successfully compromised the Laravel-Lang ecosystem, impacting hundreds of package versions and exposing developers to severe credential theft.
On May 22, 2026, security researchers from Aikido Security and Socket disclosed an active campaign that exploited GitHub’s version-tagging system to inject remote code execution (RCE) backdoors into widely used third-party localization packages.
The attackers successfully compromised over 700 historical version tags across multiple repositories within the community-maintained Laravel Lang project, including laravel-lang/lang, laravel-lang/attributes, and laravel-lang/http-statuses.
Rather than committing malicious code directly to the official repositories, the threat actors exploited a GitHub feature that allows version tags to point to commits from a fork.
By creating tags linked to a malicious fork they controlled, the attackers bypassed standard developer scrutiny, Socket said.
According to Socket’s analysis, the malicious activity is rooted in a file named src/helpers.php. Because this file was registered in composer.json under autoload.files, the backdoor executes automatically on every PHP request handled by the compromised application once Composer’s autoloader runs.
The initial dropper disguises itself as a routine localization helper. However, it contains a self-executing code block that fingerprints the host machine using an MD5 hash of the file path, hostname, and inode.
This ensures the malware only triggers once, dropping an infection marker in the system’s temporary directory (sys_get_temp_dir()/.laravel_locale/).
To evade static analysis, the dropper dynamically decodes its Command and Control (C2) hostname at runtime using character codes. It then reaches out to flipboxstudio[.]info/payload, turning off SSL verification to ensure the fetch succeeds even under interception.
On Linux and macOS, it executes the payload via exec(), while on Windows, it drops a .vbs launcher.
The second stage is a highly sophisticated, 5,900-line PHP information stealer orchestrated into 15 specialized collector modules, Aikido said.
Designed to systematically strip a compromised server or developer machine of virtually all sensitive data, according to Aikido, the malware encrypts the harvested intelligence with AES-256 before exfiltrating it to flipboxstudio[.]info/exfil.
The stealer targets a massive array of secrets, including:
kubeconfig files, and HashiCorp Vault tokens..git-credentials, .env files, and CI/CD pipeline tokens from Jenkins, GitLab Runners, and GitHub Actions.DebugChromium.exe to bypass Chrome’s App-Bound Encryption natively.| Indicator Type | Indicator | Description |
|---|---|---|
| Domain | flipboxstudio[.]info | Primary C2 server for payload fetch and exfiltration. |
| URL | https://flipboxstudio[.]info/payload | Initial stage dropper fetch endpoint. |
| Network | 169.254.169.254 | Outbound requests to cloud metadata endpoints from suspicious processes. |
| File Path | <tmp>/.laravel_locale/<md5_hash> | Infection marker to prevent redundant execution. |
| File Path | sys_get_temp_dir()/.laravel_locale/ | Staging location for downloaded payload. |
| File | <tmp>/.laravel_locale/<12 random hex chars>.php | The dropped PHP stealer payload. |
| File | <tmp>/.laravel_locale/<8 random hex chars>.vbs | Windows launcher payload. |
| File | src/helpers.php | Malicious autoloaded file registered in composer.json. |
| Executable | DebugChromium.exe | Windows artifact used to bypass Chrome DPAPI protection. |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Packagist has temporarily unlisted the affected packages to prevent further installations. Security teams should immediately review composer.lock for laravel-lang/lang, laravel-lang/http-statuses, or laravel-lang/attributes and block those packages until verified clean versions are available.
Incident response teams should immediately rotate all cloud credentials, SSH keys, database passwords, and API keys accessible to the host.
Finally, affected hosts and CI/CD runners should be rebuilt using a known-good image, preserving logs and Composer cache contents for forensic analysis.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Threat Actor Compromised 233 Versions of Laravel-Lang Packages by Hacking 700 GitHub Repos appeared first on Cyber Security News.
A sophisticated software supply chain attack has successfully compromised the Laravel-Lang ecosystem, impacting hundreds of…
Financially motivated threat actors are increasingly targeting software developers by impersonating popular AI coding assistants.…
Resident Evil director Zach Cregger has seen the calls for his movie to stick closer…
Workday has beaten analyst expectations in its first quarter results for Fiscal 2027. Revenue rose…
Epicor is holding its Insights conference this week in Nashville. With around 4,000 attendees, it…
Before exploitation film legend Jesús Franco Manera – usually known as Jess Franco – met…
This website uses cookies.