VYPR
breachPublished May 23, 2026· Updated May 25, 2026· 5 sources

Laravel-Lang PHP Packages Compromised in Supply Chain Attack Dropping Cross-Platform Credential Stealer

Attackers compromised multiple Laravel-Lang PHP packages on Packagist, publishing over 700 malicious tags that deploy a sophisticated credential stealer targeting cloud tokens, crypto wallets, and browser data across Windows, Linux, and macOS.

Cybersecurity researchers have uncovered a supply chain attack targeting the Laravel-Lang organization's PHP packages on Packagist, compromising four popular packages — laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions — to deliver a comprehensive cross-platform credential-stealing framework.

The attack, identified by researchers at Socket and Aikido Security, involved the rapid publication of more than 700 malicious version tags on May 22 and May 23, 2026. The timing and pattern of these tags suggest the attacker gained access to organization-level credentials, repository automation, or the release infrastructure itself, rather than compromising a single package version. Many tags were published only seconds apart, indicating automated mass-tagging or republishing activity.

The malicious code resides in a file named src/helpers.php embedded into the version tags. Because this file is registered under autoload.files in composer.json, the backdoor executes automatically on every PHP request handled by any application that loads a compromised package. The dropper contacts an external server at flipboxstudio[.]info to retrieve a PHP-based payload that runs across Windows, Linux, and macOS.

On Windows, the dropper writes a Visual Basic Script (VBS) launcher and executes it via cscript. On Linux and macOS, the stealer payload is executed directly via PHP's exec() function. The malware generates a unique per-host marker — an MD5 hash combining the directory path, system architecture, and inode — to ensure the payload only executes once per infected machine, helping it avoid detection after the initial run.

Once activated, the ~5,900-line PHP credential stealer deploys fifteen specialist collector modules to harvest a vast array of sensitive data. Targets include IAM roles and instance identity documents from cloud metadata endpoints, Google Cloud application default credentials, Microsoft Azure access tokens, Kubernetes Service Account tokens, and authentication tokens for DigitalOcean, Heroku, Vercel, Netlify, Railway, and Fly.io. The stealer also goes after HashiCorp Vault tokens, CI/CD secrets from Jenkins, GitLab Runners, GitHub Actions, CircleCI, TravisCI, and ArgoCD, as well as seed phrases and wallet files for major cryptocurrency wallets and browser extensions.

Browser data extraction is particularly aggressive: the stealer targets Google Chrome, Microsoft Edge, Mozilla Firefox, Brave, and Opera, using a Base64-encoded embedded Windows executable that bypasses Chromium's app-bound encryption (ABE) protections to extract history, cookies, and saved logins. It also targets password manager vaults for 1Password, Bitwarden, LastPass, KeePass, Dashlane, and NordPass, along with session tokens from Discord, Slack, and Telegram, email client data from Outlook and Thunderbird, SSH private keys, Git credentials, environment variables, VPN configurations, and much more.

All collected data is encrypted with AES-256 and exfiltrated to the same command-and-control server at flipboxstudio[.]info/exfil. The payload then deletes itself from disk to limit forensic evidence. Users and organizations that have installed any of the compromised packages should immediately audit their dependencies, rotate all potentially exposed credentials, and check for signs of unauthorized access to cloud infrastructure and CI/CD pipelines. The incident underscores the growing risk to the PHP ecosystem and the broader software supply chain, where automated release processes can be weaponized at scale.

BleepingComputer's analysis of the Windows infostealer component, named 'DebugElevator', reveals it targets Chrome, Brave, and Edge to extract App-Bound Encryption keys needed to decrypt stored browser credentials. An embedded PDB path references the Windows account name 'Mero' and contains 'claude,' potentially indicating AI-assisted development of the malware. The researchers also identified that the PHP payload on Windows extracts a base64-encoded executable written to the %TEMP% folder with a random filename, which then launches the credential-stealing routine.

New reporting from Cyber Security News provides a deeper technical breakdown of the attack, revealing that the payload disables SSL verification and fetches a secondary script from flipboxstudio[.]info, which deploys 15 specialized collector modules targeting cloud keys, database credentials, SSH keys, and password manager data. The article also publishes a full set of indicators of compromise, including the C2 domain, exfiltration URL, and file paths for the malicious helpers.php, infection markers, and dropped stealer scripts across Linux, macOS, and Windows.

SecurityWeek reports that the attack unfolded on May 22 within a 15-minute window, with malicious tags published across over 700 historical versions of the four packages. The poisoned code, never committed to the official repositories, pointed tags to commits in a malicious fork, and the malware was designed to harvest cloud keys, Docker configurations, SSH private keys, and credentials from browsers and password managers. Users are advised to block the affected packages, rotate any exposed secrets, and verify clean versions before reinstalling.

Socket.dev's AI-driven scanning has now identified over 700 compromised GitHub repositories across both Packagist and Node.js ecosystems in this campaign, far exceeding the initial eight Packagist packages. The malicious postinstall scripts download a binary from the attacker-controlled GitHub account 'parikhrpreksha' and save it as '/tmp/.sshd' to mimic a legitimate SSH daemon, with the payload also embedded in GitHub Actions workflow files for CI/CD pipeline execution. Packagist has removed the affected packages, but the branch-tracking nature of many repositories means developers must also clean upstream branches like 'dev-main' and 'dev-master' to fully remediate.

Synthesized by Vypr AI