Hacker-City
Hacker-City
Get the brief
News|May 23, 2026|6 min read

Laravel Lang packages hijacked to deploy credential-stealing malware

Attackers compromised Laravel Lang localization packages by rewriting GitHub version tags to distribute credential-stealing malware to developers via Composer, exposing sensitive data including cloud credentials, SSH keys, and browser data.

#supply-chain-attack#laravel-lang#credential-stealer#malware#php#composer#infostealer#github#cybersecurity#software-security
B

BleepingComputer

Contributor

A recent supply chain attack has targeted the Laravel Lang localization packages, exposing developers to a sophisticated credential-stealing malware campaign. This incident arose from attackers leveraging GitHub version tags to disseminate malicious code through Composer packages.

On Friday, security firms StepSecurity, Aikido Security, and Socket raised alarms regarding this breach, indicating that attackers had rewritten GitHub tags across four repositories owned by the Laravel Lang organization instead of releasing completely new versions of software.

The compromised packages encompass laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and potentially laravel-lang/actions. It is crucial to note that these Laravel Lang packages are third-party localization solutions and are not integral to the official Laravel framework.

As reported by Aikido, the attackers compromised 233 versions across three distinct repositories, while Socket estimated that approximately 700 historical versions might have been affected.

Attack Method

A notable aspect of this attack is that the actual source code of the project was not altered to include harmful code. Instead, attackers exploited a feature of GitHub that allows tags to point to commits within forks of the same repository.

"Instead of releasing a new malicious version, the attackers rewrote every git tag in each repository to redirect to a new malicious commit," StepSecurity elaborated.

"The rewrites began at 22:32 UTC on laravel-lang/lang (the primary Laravel translations package, containing 502 tags) and were completed by 00:00 UTC for laravel-lang/actions. All four repositories exhibited the same counterfeit author identity, modified files, and payload behavior, indicating that one individual, using a compromised credential with organization-wide push access, conducted these actions."

This manipulation enabled the attackers to publish what seemed to be legitimate release tags, leading to malicious commits housed in a fork of the repository controlled by the attacker.

When developers installed the package via Composer, the system would download the harmful code while ostensibly installing authentic Laravel Lang releases.

Credential Stealer Payload

Research revealed that these malicious releases added a harmful file, 'src/helpers.php', which Composer auto-loaded.

The injected code functioned as a dropper that fetched a secondary payload from the attacker's command and control server located at flipboxstudio[.]info.

This additional PHP payload served as a robust cross-platform credential stealer targeting Linux, macOS, and Windows platforms, capable of gathering various sensitive information, including:

  • Cloud credentials
  • Kubernetes secrets
  • Vault tokens
  • Git credentials
  • CI/CD secrets
  • SSH keys
  • Browser data
  • Cryptocurrency wallets
  • Password managers
  • VPN configurations
  • Local .env configuration files

Furthermore, the malware incorporates regular expressions designed to extract AWS keys, GitHub tokens, Slack tokens, Stripe secrets, database credentials, JWTs, SSH private keys, and cryptocurrency recovery phrases from files and environment variables.

Windows Component

For Windows systems, the PHP payload also retrieves a base64-encoded executable embedded within the file, which is saved in the %TEMP% folder with a randomized filename of random.exe, then subsequently executed.

Analysis of the Windows infostealer, named 'DebugElevator,' indicates its intention to target Chrome, Brave, and Edge browsers, specifically to extract App-Bound Encryption keys required for decrypting stored browser credentials.

An embedded PDB path references the Windows account name 'Mero' and includes the term 'claude,' suggesting AI assistance in the development of the Windows malware:

C:\Users\Mero\OneDrive\Desktop\stuff\claude\Chromium-DebugElevator\x64\Release\DebugChromium.pdb

Once the sensitive information is harvested, the malware encrypts it and transmits it back to the command and control server.

Response and Recommendations

Aikido reported the incident to Packagist, which took prompt action by removing the malicious versions and temporarily unlisting the affected packages to mitigate further installations.

Developers utilizing Laravel Lang packages are strongly advised to:

  • Review the versions of installed packages.
  • Rotate any exposed credentials.
  • Inspect their systems for signs of compromise.
  • Monitor for any historical outbound connections to flipboxstudio[.]info.

Share this story

Next story

Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign

A critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS is being exploited in a large-scale campaign affecting over 700 domains, including major universities and tech companies, to inject malicious JavaScript that triggers ClickFix social engineering attacks.