Hackers Compromised 233 Versions of Laravel-Lang Packages by Hacking 700 GitHub Repos
Cybersecurity NewsArchived May 23, 2026✓ Full text saved
A highly sophisticated supply chain attack has compromised the Laravel-Lang ecosystem, injecting credential-stealing remote code execution backdoors into 233 package versions across 700 GitHub repositories. Discovered in May 2026 by Socket and Aikido, threat actors manipulated GitHub tags to distribute malware through Composer’s autoloader, granting complete remote access to developer environments. The attackers bypassed direct […] The post Hackers Compromised 233 Versions of Laravel-Lang Packag
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security
Hackers Compromised 233 Versions of Laravel-Lang Packages by Hacking 700 GitHub Repos
By Guru Baran
May 23, 2026
A highly sophisticated supply chain attack has compromised the Laravel-Lang ecosystem, injecting credential-stealing remote code execution backdoors into 233 package versions across 700 GitHub repositories.
Discovered in May 2026 by Socket and Aikido, threat actors manipulated GitHub tags to distribute malware through Composer’s autoloader, granting complete remote access to developer environments.
The attackers bypassed direct repository commits by exploiting GitHub’s version tagging system to point legitimate tags toward a malicious fork.
When developers pulled the affected localization packages via Packagist, the malicious src/helpers.php executed automatically due to Composer’s autoload.files directive. This method effectively hid the malware from standard repository audits while inheriting full web application permissions.
The initial infection phase utilizes a stealthy dropper that masquerades as a standard Laravel localization function. It fingerprints the host system using specific hardware metrics and establishes a temporary marker file to prevent redundant executions.
Aikido observed that the payload disables SSL verification and fetches a secondary script from an obfuscated command-and-control server, launching it silently via OS-specific methods.
Payload Execution Methods
Operating System Execution Mechanism Privilege Level
Linux Background execution using exec("php ...") Application user
macOS Background execution using exec("php ...") Application user
Windows Generated .vbs script running via cscript Application user
The fetched payload is an extensive PHP credential stealer containing 15 specialized collector modules. It systematically targets sensitive developer secrets, including cloud metadata, database credentials, and environment configuration files.
After harvesting the secrets, the malware encrypts the payload using AES-256 and exfiltrates it to the attacker’s infrastructure before deleting itself to evade forensic detection.
The malware framework systematically strips the infected machine of high-value configurations and credentials:
Cloud access keys for AWS, GCP, Azure, and DigitalOcean.
Infrastructure configurations including Kubernetes profiles, Docker tokens, and HashiCorp Vault secrets.
Developer assets such as SSH private keys, Git credentials, and shell history files.
Saved browser passwords, cryptocurrency wallets, and password manager databases.
Security researchers advise immediate rotation of all application secrets, database credentials, and API keys exposed to compromised environments.
Development teams must inspect their composer.lock files to block affected Laravel-Lang packages and audit outbound network traffic for suspicious connections.
Systems running compromised packages should be entirely rebuilt from known-good images to ensure total eradication of the persistent threat.
Indicators of Compromise
Type Indicator
Domain (C2) flipboxstudio[.]info
URL (Payload Fetch) https://flipboxstudio[.]info/payload
URL (Exfiltration) https://flipboxstudio[.]info/exfil
File Path (Malicious) src/helpers.php
File Path (Infection Marker) <tmp>/.laravel_locale/<md5_hash>
File Path (Dropped Stealer) <tmp>/.laravel_locale/<12 random hex chars>.php
File Path (Windows Launcher) <tmp>/.laravel_locale/<8 random hex chars>.vbs
Artifact (Windows) DebugChromium.exe
IP Address 169.254.169.254
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Claude Code RCE Flaw Lets Attackers Execute Commands via Malicious Deeplinks
CISA Warns of Microsoft Defender 0-Day Vulnerabilities Exploited in Attacks
Flipper Unveils New Flipper One Modular Linux Cyberdeck
Malicious JPEG Images Could Trigger PHP Memory Safety Vulnerabilities
Hackers Use Single-Letter Go Module Typosquat to Deploy DNS-Based Backdoor
Latest News
Cyber Security News
Hackers Abuse Middle East Telecom Networks for Large-Scale Command-and-Control Operations
Cyber Security News
World Cup Phishing Campaign Nearly Triples With 203 Unique IP Addresses
Cyber Security News
Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial Access
Cyber Security News
Hackers Backdoor Popular art-template npm Package to Launch Watering-Hole Attacks
Cyber Security News
Hackers Use Six-Layer Persistence to Maintain Access on Compromised FreePBX Systems