Malicious Laravel Packages Deploy PHP RAT, Granting Remote Access to Compromised Systems
A sophisticated supply chain attack has recently targeted the PHP developer community, specifically through Packagist—the official package repository for PHP and Laravel projects. The threat actor, operating under the alias nhattuanbl, introduced several packages that masqueraded as standard Laravel utility libraries. These packages concealed a fully functional remote access trojan (RAT), providing attackers with covert and persistent control over any system that installed them.
The Deceptive Strategy
The attacker’s approach was both straightforward and effective: blending in seamlessly with legitimate packages. Between June and December 2024, nhattuanbl published six packages under the same author name, despite the associated Packagist account dating back to December 2015. Three of these packages were entirely benign, likely serving to build credibility. The remaining three, however, harbored malicious intent:
1. nhattuanbl/lara-helper: Contained a malicious payload within the `src/helper.php` file.
2. nhattuanbl/simple-queue: Also included the same malicious payload in its `src/helper.php` file.
3. nhattuanbl/lara-swagger: While devoid of malicious code itself, this package had a hard Composer dependency on `lara-helper`, effectively making it a clean-looking carrier for the malicious payload.
Technical Analysis of the RAT
Security analysts from Socket.dev identified the remote access trojan embedded within these malicious packages. Upon installation, the payload initiates a connection to a command-and-control (C2) server at `helper[.]leuleu[.]net` on port 2096. It transmits a comprehensive system profile and awaits commands from the operator, granting the attacker full remote control over the compromised host.
The researchers have submitted takedown requests to the Packagist team; however, at the time of publication, the packages remained active.
Broad Implications
The ramifications of this campaign are extensive. Any Laravel application that incorporated these packages now harbors a persistent RAT operating within the same process as the web application. This RAT has access to critical environment variables, database credentials, and API keys stored in `.env` files. Notably, the payload is cross-platform, affecting Windows, macOS, and Linux systems alike, thereby posing a universal threat to developers regardless of their operating system.
Persistent Threat Mechanism
A particularly alarming aspect of this attack is its resilience. Even if the C2 server becomes unreachable, the RAT does not cease its operations. It attempts to reconnect every 15 seconds indefinitely, allowing the attacker to redirect it to a new host at any time without modifying the existing payload. Once loaded, the RAT operates silently in the background from the moment the application starts, making detection and removal challenging.
In-Depth Look at the Infection Mechanism
The infection chain is meticulously designed for stealth. The malicious `helper.php` file is 27,340 bytes in size and is delivered as a single continuous line after the opening `
