Cybersecurity

Critical Laravel Packages Poisoned with Credential-Stealing Malware

May 25, 2026 3 min read Source: Securityweek 12 views

A significant supply chain attack has compromised several widely used Laravel-Lang packages, injecting malicious code designed for extensive credential theft. This incident highlights a sophisticated attack vector leveraging manipulated Git tags to bypass traditional code repository integrity checks, posing a substantial risk to development environments and deployed applications.

Attackers orchestrated the compromise by creating malicious version tags that pointed to commits within their own controlled forks, effectively bypassing direct modification of the official repositories.
The introduced malware initially fingerprints the infected system, then establishes communication with an external command-and-control server to deploy a PHP-based credential stealer payload.
The sophisticated credential stealer targets a vast array of sensitive information, including cloud service keys (AWS, GCP, Azure), Docker and Kubernetes configurations, developer credentials, SSH keys, browser data, and cryptocurrency wallet information across multiple operating systems.

Intelligence briefing: Why this matters: This incident underscores the sophisticated methods threat actors employ to target the software supply chain, posing significant risk to the integrity of development environments and the security of sensitive operational data for military and IT infrastructure alike.

Four popular Composer packages maintained by the Laravel-Lang organization were poisoned with malware after hackers rewrote all their Git tags, security researchers warn.

The affected packages, namely laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions, are third-party localization libraries used by Laravel applications.

The Laravel-Lang supply chain attack started on May 22. During a 15-minute window, the attackers published malicious version tags across three of the packages, StepSecurity says. By 00:00 UTC, May 23, all four packages had been poisoned.

“The timing and pattern of the newly published tags point to a broader compromise of the Laravel Lang organization’s release process, rather than a single malicious package version,” Socket notes.

According to the supply chain security firm, the malicious tags were published across over 700 historical versions of the four packages, potentially impacting all applications that fetched updates for them or installed them fresh.

“What makes this particularly sneaky is that the malicious code was never committed to the official repos at all. GitHub allows version tags to point to commits from a fork of the same repository. The attacker exploited this to create tags pointed to commits in a malicious fork they controlled,” Aikido Security explains.

The malicious version tags contained a file named src/helpers.php, posing as a Laravel localization helper. The code fingerprints the machine, then connects to the command-and-control (C&C) domain flipboxstudio[.]info to fetch a PHP credential stealer and execute it in the background.

The malware was designed to harvest cloud keys and tokens (including AWS, GCP, and Azure), Docker and Kubernetes configurations, HashiCorp Vault tokens, Helm repository configurations, SSH private keys, developer credentials, authentication tokens, shell history files, and credential-storing files.

Additionally, the malware would target credentials stored in browsers and password managers, cryptocurrency wallets and extensions, various communication platforms, VPN configuration files, and various high-value configuration and credential files across Windows, Linux, and macOS systems.

Organizations and users alike are advised to block the affected packages and treat any systems that installed them as potentially compromised. They should also confirm the availability of clean versions and install them.

“Because the payload targets cloud metadata, Kubernetes tokens, Vault, CI/CD systems, browser data, password managers, source control credentials, VPN configs, SSH keys, .env files, and local application configs, affected teams should rotate any secrets available to hosts, containers, CI runners, or developer machines that installed or ran the compromised packages,” Socket notes.

Related: Over 5,500 GitHub Repositories Infected in ‘Megalodon’ Supply Chain Attack

Related: Grafana Says Codebase and Other Data Stolen via TanStack Supply Chain Attack

Related: Over 320 NPM Packages Hit by Fresh Mini Shai-Hulud Supply Chain Attack

Analysis

This attack vector, exploiting Git tag manipulation rather than direct repository commits, represents an evolving challenge in supply chain security, making detection considerably more complex. It signals a strategic shift by adversaries to penetrate deep into development pipelines, where access to high-value credentials can enable lateral movement into critical cloud and on-premise systems. Organizations must bolster their software supply chain defenses beyond basic code integrity checks, focusing on comprehensive artifact verification and runtime monitoring.

supply chain attacklaravelcomposer packagescredential theftmalwarecybersecuritysoftware security

📰 Primary Source: Securityweek