Hackers Compromised 233 Versions of Laravel-Lang Packages by Hacking 700 GitHub Repos

A highly sophisticated supply chain attack has compromised the Laravel-Lang ecosystem, injecting credential-stealing remote code execution backdoors into 233 package versions across 700 GitHub repositories.

Discovered in May 2026 by Socket and Aikido, threat actors manipulated GitHub tags to distribute malware through Composer’s autoloader, granting complete remote access to developer environments.

The attackers bypassed direct repository commits by exploiting GitHub’s version tagging system to point legitimate tags toward a malicious fork.

When developers pulled the affected localization packages via Packagist, the malicious src/helpers.php executed automatically due to Composer’s autoload.files directive. This method effectively hid the malware from standard repository audits while inheriting full web application permissions.

The initial infection phase utilizes a stealthy dropper that masquerades as a standard Laravel localization function. It fingerprints the host system using specific hardware metrics and establishes a temporary marker file to prevent redundant executions.

Aikido observed that the payload disables SSL verification and fetches a secondary script from an obfuscated command-and-control server, launching it silently via OS-specific methods.

Operating System	Execution Mechanism	Privilege Level
Linux	Background execution using exec("php ...")	Application user
macOS	Background execution using exec("php ...")	Application user
Windows	Generated .vbs script running via cscript	Application user

The fetched payload is an extensive PHP credential stealer containing 15 specialized collector modules. It systematically targets sensitive developer secrets, including cloud metadata, database credentials, and environment configuration files.

After harvesting the secrets, the malware encrypts the payload using AES-256 and exfiltrates it to the attacker’s infrastructure before deleting itself to evade forensic detection.

The malware framework systematically strips the infected machine of high-value configurations and credentials:

• Cloud access keys for AWS, GCP, Azure, and DigitalOcean.
• Infrastructure configurations including Kubernetes profiles, Docker tokens, and HashiCorp Vault secrets.
• Developer assets such as SSH private keys, Git credentials, and shell history files.
• Saved browser passwords, cryptocurrency wallets, and password manager databases.

Security researchers advise immediate rotation of all application secrets, database credentials, and API keys exposed to compromised environments.

Development teams must inspect their composer.lock files to block affected Laravel-Lang packages and audit outbound network traffic for suspicious connections.

Systems running compromised packages should be entirely rebuilt from known-good images to ensure total eradication of the persistent threat.

Indicators of Compromise

Type	Indicator
Domain (C2)	flipboxstudio[.]info
URL (Payload Fetch)	https://flipboxstudio[.]info/payload
URL (Exfiltration)	https://flipboxstudio[.]info/exfil
File Path (Malicious)	src/helpers.php
File Path (Infection Marker)	<tmp>/.laravel_locale/<md5_hash>
File Path (Dropped Stealer)	<tmp>/.laravel_locale/<12 random hex chars>.php
File Path (Windows Launcher)	<tmp>/.laravel_locale/<8 random hex chars>.vbs
Artifact (Windows)	DebugChromium.exe
IP Address	169.254.169.254

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.