Full Report
Cybersecurity researchers have flagged a fresh software supply chain attack campaign that has targeted multiple PHP packages belonging to Laravel-Lang to deliver a comprehensive credential-stealing framework. The affected packages include - laravel-lang/lang laravel-lang/http-statuses laravel-lang/attributes laravel-lang/actions "The timing and pattern of the newly published tags
Analysis Summary
# Incident Report: Compromise of Laravel-Lang PHP Packages
## Executive Summary
A sophisticated supply chain attack targeted the Laravel-Lang organization, resulting in the compromise of multiple widely-used PHP packages. Attackers injected a cross-platform credential stealer into over 700 version tags to harvest cloud metadata, authentication tokens, and sensitive developer data. The incident highlights the critical risk of automated release infrastructure compromise in the PHP ecosystem.
## Incident Details
- **Discovery Date:** May 23, 2026
- **Incident Date:** May 22 – May 23, 2026
- **Affected Organization:** Laravel-Lang (maintainers of language assets for the Laravel framework)
- **Sector:** Software Development / Open Source Ecosystem
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** May 22, 2026
- **Vector:** Probable compromise of organization-level credentials or CI/CD automation tokens.
- **Details:** Attackers gained the ability to publish new tags across multiple repositories within the Laravel-Lang GitHub organization.
### Lateral Movement
- **Details:** The attack used automated scripts to rapidly publish over 700 malicious versions/tags across the affected repositories (`lang`, `http-statuses`, `attributes`, and `actions`) within seconds of each other.
### Data Exfiltration/Impact
- **Details:** Compromised packages included a `src/helpers.php` file registered for auto-loading. Upon execution, the script fingerprinted the host and downloaded a secondary PHP payload that harvested cloud IAM roles, Kubernetes tokens, crypto wallets, SSH keys, and browser credentials, exfiltrating them to a remote C2 server.
### Detection & Response
- **How it was discovered:** Flagged by cybersecurity researchers at Socket and Aikido Security who noticed the unusual pattern of rapid tag publication.
- **Response actions taken:** Analysis of the malicious `helpers.php` and the secondary 5,900-line stealer payload; public disclosure to warn the Laravel community.
## Attack Methodology
- **Initial Access:** Valid account/token usage (Supply Chain Compromise).
- **Persistence:** Injection into `composer.json` auto-load files ensures execution on every PHP request.
- **Privilege Escalation:** Not applicable (the malware operates with the permissions of the web server/PHP process).
- **Defense Evasion:** Unique per-host MD5 markers to prevent redundant execution; self-deletion of the payload after exfiltration.
- **Credential Access:** Harvesting of `.env` files, browser databases (bypassing Chrome ABE), and cloud metadata service (IMDS) tokens.
- **Discovery:** System fingerprinting (path, architecture, inode).
- **Lateral Movement:** Focused on cloud/DevOps environments via stolen IAM/Kubernetes/Gitlab tokens.
- **Collection:** Sophisticated modules targeting 15+ categories of sensitive data.
- **Exfiltration:** Data encrypted with AES-256 and sent via POST requests to the C2.
- **Impact:** Massive credential theft involving cloud providers, CI/CD pipelines, and financial (crypto) assets.
## Impact Assessment
- **Financial:** High potential risk due to the theft of cryptocurrency seed phrases and cloud provider billing access.
- **Data Breach:** Extensive; includes SSH keys, database credentials, and session tokens for Slack, Discord, and Telegram.
- **Operational:** Risk of downstream compromise for any application utilizing Laravel-Lang packages.
- **Reputational:** Significant impact on the perceived security of the Laravel-Lang organization and the PHP package ecosystem.
## Indicators of Compromise
- **Network Indicators:**
- flipboxstudio[.]info (C2 and Payload Delivery)
- flipboxstudio[.]info/exfil (Exfiltration endpoint)
- **File Indicators:**
- `src/helpers.php` (containing the malicious dropper/host-fingerprinting logic)
- **Behavioral Indicators:**
- Unexpected outbound requests to external domains from a PHP web server.
- Presence of MD5-based host markers in temporary directories.
- Automated rapid-fire publication of hundreds of GitHub tags.
## Response Actions
- **Containment:** Removal of malicious tags from GitHub and Packagist (coordinated by maintainers).
- **Eradication:** Identification and removal of `src/helpers.php` from local vendor directories.
- **Recovery:** Users must audit `.env` files and rotate all credentials (Cloud, SSH, API) that were present on compromised systems.
## Lessons Learned
- **Key Takeaways:** Automated release triggers are a high-value target; MFA and strict token scoping are mandatory for organization maintainers.
- **Improvement:** Dependency pinning (using `composer.lock`) helps, but it does not protect against "latest" version pulls if a version tag itself is compromised.
## Recommendations
- **Prevention:** Implement Two-Factor Authentication (2FA) for all package maintainers and limit the scope of CI/CD tokens to specific repositories rather than the entire organization.
- **Monitoring:** Utilize behavior-based security tools that monitor for unauthorized outbound connections from production PHP environments.
- **Audit:** Regularly audit `composer.json` for unexpected `autoload.files` entries.