Laravel Lang packages hijacked to deploy credential-stealing malware
Recorded: May 23, 2026, 8:57 p.m.
| Original | Summarized |
Laravel Lang packages hijacked to deploy credential-stealing malware News Featured Microsoft warns of new Defender zero-days exploited in attacks GitHub confirms breach of 3,800 repos via malicious VSCode extension Hackers bypass SonicWall VPN MFA due to incomplete patching Flipper One project needs community help to build open Linux platform Laravel Lang packages hijacked to deploy credential-stealing malware Italy disrupts CINEMAGOAL piracy app that stole streaming auth codes Skip the small talk—learn new languages in this Babbel app deal Netherlands seizes 800 servers of hosting firm enabling cyberattacks Tutorials Latest How to access the Dark Web using the Tor Browser How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 How to use the Windows Registry Editor How to backup and restore the Windows Registry How to start Windows in Safe Mode How to remove a Trojan, Virus, Worm, or other Malware How to show hidden files in Windows 7 How to see hidden files in Windows Webinars Latest Qualys BrowserCheck STOPDecrypter AuroraDecrypter FilesLockerDecrypter AdwCleaner ComboFix RKill Junkware Removal Tool Deals Categories eLearning IT Certification Courses Gear + Gadgets Security VPNs Popular Best VPNs How to change IP address Access the dark web safely Best VPN for YouTube Forums Virus Removal Guides HomeNewsSecurityLaravel Lang packages hijacked to deploy credential-stealing malware Laravel Lang packages hijacked to deploy credential-stealing malware By Lawrence Abrams May 23, 2026 A supply chain attack targeting the Laravel Lang localization packages has exposed developers to a sophisticated credential-stealing malware campaign after attackers abused GitHub version tags to distribute malicious code through Composer packages. helpers.php payload added to autoload section of composer.json Regular expression patterns used to steal secretsSource: BleepingComputer DebugElevator executableSource: BleepingComputer C:\Users\Mero\OneDrive\Desktop\stuff\claude\Chromium-DebugElevator\x64\Release\DebugChromium.pdb The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate. Related Articles: Composer Lawrence Abrams Previous Article Post a Comment Community Rules You need to login in order to post a comment You may also like: Upcoming Webinar Popular Stories GitHub confirms breach of 3,800 repos via malicious VSCode extension Microsoft warns of new Defender zero-days exploited in attacks Exploit released for new PinTheft Arch Linux root escalation flaw Sponsor Posts Overdue a password health-check? Audit your Active Directory for free 33% Rise in Healthcare Credential Theft in 2025: What you need to know Protect Your Business from Ecommerce Fraud Patch management isn't enough. See why privilege is defining security risk today. Managing Shadow AI: 5 Steps to Secure Employee AI Use Without Killing Productivity Upcoming Webinar Follow us: Main Sections News Community Forums Useful Resources Welcome Guide Company About BleepingComputer Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved Login Username Password Remember Me Sign in anonymously Sign in with Twitter Not a member yet? Register Now Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... |
A supply chain attack was executed against the Laravel Lang localization packages, leading to a sophisticated campaign designed to steal credentials by deploying malware. This vulnerability exploited the mechanism by which attackers leveraged GitHub version tags to distribute malicious code through Composer packages. Security firms, including StepSecurity, Aikido Security, and Socket, alerted the community regarding this compromise. The affected packages included laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and potentially laravel-lang/actions, which are third-party localization packages not belonging to the official Laravel project. The method employed by the attackers was notable because they did not publish entirely new malicious versions but instead manipulated existing GitHub tags across four repositories managed by the Laravel Lang organization. StepSecurity explained that the attackers rewrote every existing git tag in these repositories to point to commits in an attacker-controlled fork. This technique allowed the attackers to publish what appeared to be legitimate release tags, which ultimately directed developers to download malicious commits when they installed the packages via Composer. When developers installed these compromised packages, the malicious releases introduced a file named src/helpers.php, which was automatically loaded by the Composer process. This injected code functioned as a dropper, initiating the download of a secondary payload from the attacker's command and control server located at flipboxstudio[.]info. The downloaded PHP payload was a cross-platform credential stealer capable of harvesting a wide array of sensitive information across Linux, macOS, and Windows systems. The malware targets various secrets, including cloud credentials, Kubernetes secrets, Vault tokens, Git credentials, CI/CD secrets, SSH keys, browser data, cryptocurrency wallets, password managers, and local environment configuration files, such as .env files. Furthermore, the payload contains regular expression patterns explicitly designed to extract sensitive data like AWS keys, GitHub tokens, Slack tokens, Stripe secrets, database credentials, JSON Web Tokens, SSH private keys, and cryptocurrency recovery phrases from files and environment variables. On Windows systems, the PHP payload also extracts a base64-encoded executable, named DebugElevator, which is written to the temporary folder and subsequently launched. This executable is specifically designed to target browsers such as Chrome, Brave, and Edge to extract App-Bound Encryption keys necessary for decrypting stored browser credentials. Forensic analysis indicated that the malware references the Windows account name 'Mero' and contained references to 'claude' in its path, suggesting potential assistance from artificial intelligence in its development. Once the sensitive data was extracted, the malware encrypted it before transmitting it back to the command and control server. In response to the incident, Aikido reported the compromise to Packagist, which responded by swiftly removing the malicious versions and temporarily delisting the affected packages to prevent further installations. Developers who utilized the Laravel Lang packages are strongly advised to review their installed package versions, rotate all exposed credentials, inspect their systems thoroughly for indicators of compromise, and check for any historical outbound network connections to flipboxstudio[.]info. |