Active Supply Chain Attack Targets Laravel-Lang Open-Source Organization
A sophisticated and active supply chain attack has recently affected the Laravel-Lang open-source organization, compromising over 700 historical package versions from four widely utilized PHP localization repositories. This alarming development was detected on May 22, 2026, prompting investigations by Aikido Security and the Socket Research Team, revealing the introduction of a fully functional remote code execution (RCE) backdoor that operates automatically through Composer’s autoloader, requiring no user interaction.
The impacted packages include laravel-lang/lang, which has garnered 7.8k stars on GitHub, alongside laravel-lang/attributes, laravel-lang/http-statuses, and laravel-lang/actions. Although these packages are not officially part of the Laravel framework, they are extensively utilized as third-party localization libraries in numerous PHP applications. The rapid evolution of this incident showcases the vulnerabilities inherent in open-source ecosystems, emphasizing the critical nature of supply chain security in software development.
In a timely response to the situation, Packagist took immediate action by removing the compromised versions and temporarily unlisting the packages to curb any ongoing installations. The speed and efficiency of this decision were crucial in mitigating further damage as developers and organizations were urged to pay close attention to their project dependencies.
Unique Method of Attack: Exploiting Forked Repositories
What distinguishes this attack from more traditional repository compromises is the method employed. Remarkably, no malicious code was ever directly committed to the official repositories. This particular vulnerability arose from GitHub’s flexibility in allowing version tags to reference commits from forks of the same repository. The attacker exploited this feature, crafting authentic-looking release tags that led to commits existing in a malicious fork they controlled. This approach underscores the sophistication of the attack and highlights the ease with which attackers can manipulate existing tools in software development.
Through rapid execution from May 22 to May 23, 2026, the attacker published multiple malicious tags across several version lines — specifically, the 12.x, 13.x, 14.x, and 15.x release lines of laravel-lang/lang, along with others. Socket’s analysis further validated the presence of a malicious src/helpers.php file, ensconced in the composer.json file under autoload.files, ensuring that the backdoor would run automatically on each PHP request that involved a compromised application.
The insidious nature of this file is notable; it masquerades as a typical localization helper for Laravel while defining seemingly harmless functions, only to execute a covert self-running block designed to maintain a low profile.
Complexities of the Attack: Advanced C2 Communication
The command-and-control (C2) domain, flipboxstudio[.]info, was particularly intricate in its construction, dynamically built during runtime using character code arrays to bypass conventional static string analysis techniques. This complexity not only reflects the sophistication of the attackers but also the lengths to which they went to ensure the persistence and stealth of their operation.
On a technical level, the malicious dropper fingerprinted each host using an MD5 hash that combined file path, system architecture, and inode number, thereby writing a unique execution marker that would prevent repetitive infections. Following this process, the dropper fetched a second-stage payload from flipboxstudio[.]info/payload, with TLS verification deliberately disabled. The execution process varied depending on the operating system; on Linux and macOS, it employed exec("php ..."), while on Windows, it created a .vbs launcher that executed silently.
The second-stage payload itself is a staggering approximately 5,900-line PHP credential stealer, intricately organized into 17 specialized collector modules. This functionality is particularly alarming, as the broad reach of the stealer encompasses several systems.
Scopes of Compromise: Specific Target Domains
The areas most affected by the credential-stealing capabilities of the malware are as diverse as they are critical:
- Cloud Infrastructure: The stealer targets AWS, GCP, and Azure authentication tokens, alongside Vault secrets and Kubernetes
kubeconfigfiles. - CI/CD Pipelines: It can extract Jenkins
master.key, and other critical configuration files from various CI/CD platforms. - Developer Credentials: There has been a widespread infiltration of developer credentials including SSH keys,
.git-credentials, and environmental variable secrets. - Browser and Password Managers: The malware hunts for saved passwords across 17 different Chromium-based browsers and specific password management applications.
- Cryptocurrency Wallets: An attack on cryptocurrency wallets has been noted, scanning for wallet files and plaintext seed files that could lead to significant financial theft.
Immediate Actions Required for Vulnerable Systems
In light of this devastating attack, teams utilizing any of the affected Laravel-Lang packages are advised to treat their hosts as fully compromised. A thorough audit of composer.lock files, specifically those referring to the compromised packages, is essential. Until clean versions can be confidently confirmed, it is crucial to block the affected packages.
To counter the potential fallout from such extensive vulnerabilities, a full credential rotation is highly recommended. Prioritizing the rotation of cloud provider credentials, Kubernetes Service Account tokens, CI/CD secrets, and more will be vital to secure sensitive information.
Additionally, affected organizations should focus on rebuilding compromised containers, hosts, and continuous integration runners from known-good images, while simultaneously preserving essential logs for forensic analysis, including composer.lock, Composer cache, and DNS/network interactions.
The ramifications of such an attack are profound and underscore an urgent necessity for vigilance within open-source communities. As the implications of supply chain vulnerabilities become increasingly evident, organizations must prioritize robust cybersecurity strategies to counteract the evolving threat landscape.