A sophisticated and active supply chain attack has struck the Laravel-Lang open-source organization, compromising over 700 historical package versions across four widely used PHP localization repositories.
The attack, detected on May 22, 2026, and reported by both Aikido Security and the Socket Research Team, introduces a fully functional remote code execution (RCE) backdoor that executes automatically via Composer’s autoloader without any user interaction.
The affected packages laravel-lang/lang (7.8k GitHub stars), laravel-lang/attributes, laravel-lang/http-statuses, and laravel-lang/actions are not part of the official Laravel framework but are widely used third-party localization libraries.
Packagist responded rapidly by taking down the malicious versions and temporarily unlisting the packages to prevent further installations.
Compromised Laravel-Lang Packages via GitHub Repo
What separates this attack from standard repository compromises is that no malicious code was ever committed to the official repos.
GitHub allows version tags to reference commits from forks of the same repository, and the attacker weaponized this feature to create legitimate-looking release tags pointing to commits inside a malicious fork they controlled, said Socket.
The malicious tags were published in rapid succession on May 22–23, 2026, with many versions appearing only seconds apart across the 12.x, 13.x, 14.x, and 15.x release lines of laravel-lang/lang, as well as across laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions.
Socket’s analysis confirmed a malicious src/helpers.php file registered in composer.json under autoload.files meaning the backdoor executes automatically on every PHP request handled by a compromised application.
The malicious src/helpers.php file masquerades as a routine Laravel localization helper, defining two harmless-looking functions before executing a covert self-running block.
The C2 domain flipboxstudio[.]info is dynamically constructed at runtime using character code arrays (array_map('chr', [...])) to defeat static string analysis.
The dropper fingerprints each host using an MD5 hash of the file path, system architecture, and inode number, writing a one-time execution marker to prevent duplicate infections, Aikido said.
It then fetches the second-stage payload flipboxstudio[.]info/payload with TLS verification explicitly disabled. On Linux/macOS, execution proceeds via exec("php ...") in the background; on Windows, the dropper generates a .vbs launcher and runs it silently via cscript.
The second-stage payload is a ~5,900-line cross-platform PHP credential stealer organized into 17 specialist collector modules.
After sweeping the host, it encrypts all harvested data with a hardcoded XOR key (k9X2mP7vL4nQ8wR1) and exfiltrates it to flipboxstudio[.]info/exfil, then self-deletes to erase forensic traces.
The stealer’s harvesting reach is extraordinarily broad:
- Cloud Infrastructure: Siphons AWS, GCP, and Azure authentication tokens, along with HashiCorp Vault secrets and Kubernetes
kubeconfigfiles. - CI/CD pipelines — Jenkins
master.keyandcredentials.xml, GitHub Actions secrets, GitLab Runners, CircleCI, TravisCI, and ArgoCD configs - Developer credentials — SSH private keys,
.git-credentials, shell history (bash, zsh, psql, mysql),.envfiles,wp-config.php,docker-compose.yml, and package manager auth configs (.npmrc,.pypirc,.composer/auth.json) - Browsers and password managers — Saved passwords from 17 Chromium-based browsers; it drops a base64-embedded
DebugChromium.exebinary specifically to bypass Chrome v127+ App-Bound Encryption; Firefox is decrypted natively via NSS; targets 1Password, Bitwarden, LastPass, KeePass, Dashlane, and NordPass - Cryptocurrency wallets — Bitcoin, Ethereum, Monero wallet files; browser extension wallets including MetaMask, Phantom, Trust Wallet, and Rabby; scans for plaintext
seed.txtandrecovery.txtfiles
| Indicator | Type |
|---|---|
flipboxstudio[.]info | C2 domain |
flipboxstudio[.]info/payload | Payload delivery URL |
flipboxstudio[.]info/exfil | Exfiltration endpoint |
src/helpers.php | Malicious dropper file |
autoload.files → src/helpers.php | Composer autoload trigger |
| Per-host infection marker |
| Dropped stealer payload |
| Windows VBS launcher |
DebugChromium.exe | Chrome DPAPI decryption binary |
169.254.169.254 | Cloud metadata access (EC2 IMDS) |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Teams using any affected Laravel-Lang packages should treat impacted hosts as fully compromised. Immediately audit composer.lock for laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions, and block these packages until clean versions are confirmed.
Given the stealer’s extensive reach, full credential rotation is critical to prioritize cloud provider credentials, Kubernetes Service Account tokens, Vault tokens, CI/CD secrets, GitHub/GitLab tokens, SSH keys, database credentials, and Laravel APP_KEY, and any secrets stored in environment variables.
Rebuild affected containers, hosts, and CI runners from known-good images, and preserve logs, including composer.lock, Composer cache, DNS/network logs, and temp directory contents before remediation.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
