Laravel-Lang PHP Packages Compromised in Supply Chain Attack Dropping Cross-Platform Credential Stealer
Attackers compromised multiple Laravel-Lang PHP packages on Packagist, publishing over 700 malicious tags that deploy a sophisticated credential stealer targeting cloud tokens, crypto wallets, and browser data across Windows, Linux, and macOS.
Cybersecurity researchers have uncovered a supply chain attack targeting the Laravel-Lang organization's PHP packages on Packagist, compromising four popular packages — laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions — to deliver a comprehensive cross-platform credential-stealing framework.
The attack, identified by researchers at Socket and Aikido Security, involved the rapid publication of more than 700 malicious version tags on May 22 and May 23, 2026. The timing and pattern of these tags suggest the attacker gained access to organization-level credentials, repository automation, or the release infrastructure itself, rather than compromising a single package version. Many tags were published only seconds apart, indicating automated mass-tagging or republishing activity.
The malicious code resides in a file named `src/helpers.php` embedded into the version tags. Because this file is registered under `autoload.files` in `composer.json`, the backdoor executes automatically on every PHP request handled by any application that loads a compromised package. The dropper contacts an external server at `flipboxstudio[.]info` to retrieve a PHP-based payload that runs across Windows, Linux, and macOS.
On Windows, the dropper writes a Visual Basic Script (VBS) launcher and executes it via `cscript`. On Linux and macOS, the stealer payload is executed directly via PHP's `exec()` function. The malware generates a unique per-host marker — an MD5 hash combining the directory path, system architecture, and inode — to ensure the payload only executes once per infected machine, helping it avoid detection after the initial run.
Once activated, the ~5,900-line PHP credential stealer deploys fifteen specialist collector modules to harvest a vast array of sensitive data. Targets include IAM roles and instance identity documents from cloud metadata endpoints, Google Cloud application default credentials, Microsoft Azure access tokens, Kubernetes Service Account tokens, and authentication tokens for DigitalOcean, Heroku, Vercel, Netlify, Railway, and Fly.io. The stealer also goes after HashiCorp Vault tokens, CI/CD secrets from Jenkins, GitLab Runners, GitHub Actions, CircleCI, TravisCI, and ArgoCD, as well as seed phrases and wallet files for major cryptocurrency wallets and browser extensions.
Browser data extraction is particularly aggressive: the stealer targets Google Chrome, Microsoft Edge, Mozilla Firefox, Brave, and Opera, using a Base64-encoded embedded Windows executable that bypasses Chromium's app-bound encryption (ABE) protections to extract history, cookies, and saved logins. It also targets password manager vaults for 1Password, Bitwarden, LastPass, KeePass, Dashlane, and NordPass, along with session tokens from Discord, Slack, and Telegram, email client data from Outlook and Thunderbird, SSH private keys, Git credentials, environment variables, VPN configurations, and much more.
All collected data is encrypted with AES-256 and exfiltrated to the same command-and-control server at `flipboxstudio[.]info/exfil`. The payload then deletes itself from disk to limit forensic evidence. Users and organizations that have installed any of the compromised packages should immediately audit their dependencies, rotate all potentially exposed credentials, and check for signs of unauthorized access to cloud infrastructure and CI/CD pipelines. The incident underscores the growing risk to the PHP ecosystem and the broader software supply chain, where automated release processes can be weaponized at scale.