Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer

Severity

Medium

Cybersecurity researchers have identified a large-scale software supply chain attack targeting multiple Laravel-Lang PHP packages, enabling threat actors to distribute a sophisticated credential-stealing framework across Windows, Linux, and macOS environments. The compromise impacts several widely used Laravel ecosystem packages, including laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. Security researchers reported that attackers compromised the Laravel Lang release process rather than modifying application source code directly. More than 700 package versions were rapidly republished over a short period, suggesting automated mass tagging activity and possible unauthorized access to organization-level credentials, repository automation systems, or release infrastructure.

Unlike traditional software supply chain compromises that inject malware directly into source repositories, attackers rewrote existing Git tags to point toward malicious commits while leaving the visible project source code unchanged. This approach significantly increases the difficulty of identifying the compromise during routine code reviews. The malicious functionality was embedded through a file named “src/helpers.php”, which was added to package autoload mechanisms. Because Laravel applications and many PHP frameworks automatically execute package autoload files during application startup, malicious code execution occurs immediately whenever affected applications initialize, requiring no user interaction or manual triggering.

The injected code fingerprints infected systems and contacts an external command-and-control infrastructure to retrieve a secondary PHP payload capable of executing across Windows, Linux, and macOS systems.

How?

The attack chain begins when compromised Laravel packages are installed or updated within PHP environments. Attackers modified package configuration files so that the malicious helper script executes automatically during application initialization. The malware establishes host uniqueness by generating a machine-specific identifier derived from system attributes. This mechanism ensures payload execution occurs only once per host, reducing detection opportunities and minimizing suspicious repeated activity.

The initial dropper behavior differs depending on operating system:

Windows – Deploys a Visual Basic Script launcher and executes it using cscript
Linux/macOS – Executes credential-stealing payloads directly using system execution functions

The secondary payload consists of a large modular credential stealer containing specialized collection capabilities designed to harvest sensitive information from multiple enterprise technologies and cloud environments.

Threat actors targeted sensitive assets including:

Cloud metadata services, IAM roles, and cloud access tokens
Google Cloud and Microsoft Azure credentials
Kubernetes service account tokens and cluster configurations
CI/CD platform credentials from Jenkins, GitHub Actions, GitLab Runners, CircleCI, TravisCI, and ArgoCD
Authentication tokens from DigitalOcean, Heroku, Vercel, Netlify, Railway, and Fly.io
HashiCorp Vault tokens
Browser credentials, cookies, login sessions, and browsing history
Password manager vault information
SSH private keys and Git credentials
Docker authentication tokens and environment configuration files
VPN profiles and saved credentials
Database history files and shell command histories
RDP files and Windows Credential Manager data
Messaging application session tokens
Email client configuration and stored credentials
Cryptocurrency wallet seed phrases and wallet extension information

The malware also extracts browser and credential information from major browsers including Google Chrome, Microsoft Edge, Mozilla Firefox, Brave, and Opera, while targeting stored authentication data from password managers and enterprise development environments.

Collected information is encrypted using AES-256 before exfiltration to attacker-controlled infrastructure. After successful transmission, the malware removes itself from disk to reduce forensic artifacts and hinder incident response investigations.

Recommendation

Organizations using Laravel-Lang packages should immediately review dependency versions and verify package integrity against trusted sources. Any recently updated Laravel-Lang components should be treated as potentially compromised until validated.

Security teams should perform threat hunting activities focused on:

Unexpected outbound connections from PHP application servers
Unauthorized modifications within Composer dependency directories
Suspicious PHP execution behavior during application startup
Credential access activity involving cloud environments
Unexpected browser credential extraction attempts
Unauthorized access to Kubernetes or CI/CD credentials
New outbound traffic toward unknown infrastructure
Signs of credential theft or token misuse

Organizations should rotate exposed credentials immediately, particularly cloud access tokens, CI/CD secrets, SSH keys, VPN credentials, and privileged service accounts. Additional security controls should include dependency integrity monitoring, software supply chain validation procedures, strict repository access governance, and enhanced monitoring for unusual package publishing activity.

Conclusion

This incident demonstrates how software supply chain compromises continue evolving beyond direct source code modification techniques. By abusing release infrastructure and package distribution mechanisms, attackers achieved broad credential theft capabilities without visibly altering application repositories. The campaign highlights the importance of dependency verification, credential hygiene, supply chain monitoring, and rapid incident response capabilities to reduce exposure to increasingly sophisticated ecosystem-level attacks.

Source

https://thehackernews.com/2026/05/laravel-lang-php-packages-compromised.html