Hackers Compromised 233 Versions of Laravel-Lang Packages by Hacking 700 GitHub Repos
A sophisticated supply chain attack on the Laravel-Lang ecosystem injected credential-stealing backdoors into 233 package versions across 700 GitHub repositories.
A highly sophisticated supply chain attack has compromised the Laravel-Lang ecosystem, injecting credential-stealing remote code execution backdoors into 233 package versions across 700 GitHub repositories.
Discovered in May 2026 by Socket and Aikido, threat actors manipulated GitHub tags to distribute malware through Composer's autoloader, granting complete remote access to developer environments.
Attack Vector
The attackers bypassed direct repository commits by exploiting GitHub's version tagging system to point legitimate tags toward a malicious fork. When developers pulled the affected localization packages via Packagist, the malicious src/helpers.php executed automatically due to Composer's autoload.files directive. This method effectively hid the malware from standard repository audits while inheriting full web application permissions.
Stealthy Dropper
The initial infection phase utilizes a stealthy dropper that masquerades as a standard Laravel localization function. It fingerprints the host system using specific hardware metrics and establishes a temporary marker file to prevent redundant executions. The payload disables SSL verification and fetches a secondary script from an obfuscated command-and-control server, launching it silently via OS-specific methods.
Payload Execution
| OS | Mechanism | Privilege |
|---|---|---|
| Linux | exec("php ...") in background |
Application user |
| macOS | exec("php ...") in background |
Application user |
| Windows | Generated .vbs script via cscript |
Application user |
The fetched payload is an extensive PHP credential stealer containing 15 specialized collector modules. It systematically targets sensitive developer secrets, including cloud metadata, database credentials, and environment configuration files.
After harvesting the secrets, the malware encrypts the payload using AES-256 and exfiltrates it to the attacker's infrastructure before deleting itself to evade forensic detection.
Targeted Data
- Cloud access keys for AWS, GCP, Azure, and DigitalOcean
- Infrastructure configurations including Kubernetes profiles, Docker tokens, and HashiCorp Vault secrets
- Developer assets such as SSH private keys, Git credentials, and shell history files
- Saved browser passwords, cryptocurrency wallets, and password manager databases
Mitigation
Security researchers advise immediate rotation of all application secrets, database credentials, and API keys exposed to compromised environments. Development teams must inspect their composer.lock files to block affected Laravel-Lang packages and audit outbound network traffic for suspicious connections. Systems running compromised packages should be entirely rebuilt from known-good images.
Indicators of Compromise
| Type | Indicator |
|---|---|
| Domain (C2) | flipboxstudio[.]info |
| URL (Payload Fetch) | https://flipboxstudio[.]info/payload |
| URL (Exfiltration) | https://flipboxstudio[.]info/exfil |
| File Path (Malicious) | src/helpers.php |
| File Path (Infection Marker) | <tmp>/.laravel_locale/<md5_hash> |
| File Path (Dropped Stealer) | <tmp>/.laravel_locale/<12 random hex chars>.php |
| IP Address | 169.254.169.254 |