A sophisticated supply chain attack has infiltrated the Laravel-Lang ecosystem, compromising 233 package versions across 700 GitHub repositories. This breach introduced credential-stealing remote code execution (RCE) backdoors into widely used localization packages.
Discovered in May 2026 by security firms Socket and Aikido, the attackers exploited GitHub’s version tagging system. Instead of making direct commits, they manipulated tags to point to malicious forks. Consequently, developers who pulled these packages via Packagist unknowingly executed the malicious src/helpers.php file, which Composer’s autoloader processed automatically. This method effectively concealed the malware from standard repository audits while granting it full web application permissions.
The initial phase of the attack involved a stealthy dropper masquerading as a standard Laravel localization function. This dropper fingerprinted the host system using specific hardware metrics and created a temporary marker file to prevent redundant executions. It then disabled SSL verification and fetched a secondary script from an obfuscated command-and-control (C2) server, launching it silently through OS-specific methods.
Payload Execution Methods
The payload execution varied based on the operating system:
- Linux: Background execution using
exec("php ...")with application user privileges. - macOS: Similar to Linux, utilizing
exec("php ...")with application user privileges. - Windows: Generated a
.vbsscript running viacscriptwith application user privileges.
The fetched payload was an extensive PHP credential stealer containing 15 specialized collector modules. It systematically targeted sensitive developer secrets, including cloud metadata, database credentials, and environment configuration files. After harvesting these secrets, the malware encrypted the data using AES-256 and exfiltrated it to the attacker’s infrastructure before deleting itself to evade forensic detection.
The malware framework systematically stripped the infected machine of high-value configurations and credentials, such as:
- Cloud access keys for AWS, GCP, Azure, and DigitalOcean.
- Infrastructure configurations, including Kubernetes profiles, Docker tokens, and HashiCorp Vault secrets.
- Developer assets like SSH private keys, Git credentials, and shell history files.
- Saved browser passwords, cryptocurrency wallets, and password manager databases.
Security researchers advise immediate rotation of all application secrets, database credentials, and API keys exposed to compromised environments. Development teams should inspect their composer.lock files to block affected Laravel-Lang packages and audit outbound network traffic for suspicious connections. Systems running compromised packages should be entirely rebuilt from known-good images to ensure total eradication of the persistent threat.
Indicators of Compromise
Key indicators include:
- Domain (C2):
flipboxstudio[.]info - URL (Payload Fetch):
https://flipboxstudio[.]info/payload - URL (Exfiltration):
https://flipboxstudio[.]info/exfil - File Path (Malicious):
src/helpers.php - File Path (Infection Marker):
<tmp>/.laravel_locale/<md5_hash> - File Path (Dropped Stealer):
<tmp>/.laravel_locale/<12 random hex chars>.php - File Path (Windows Launcher):
<tmp>/<random>.vbs
This incident underscores the critical importance of securing the software supply chain. Developers must remain vigilant, regularly audit dependencies, and implement robust security practices to mitigate such risks.
Source: CyberSecurityNews
