CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 23, 2026

Hackers Compromised 233 Versions of Laravel-Lang Packages by Hacking 700 GitHub Repos

Cybersecurity News Archived May 23, 2026 ✓ Full text saved

A highly sophisticated supply chain attack has compromised the Laravel-Lang ecosystem, injecting credential-stealing remote code execution backdoors into 233 package versions across 700 GitHub repositories. Discovered in May 2026 by Socket and Aikido, threat actors manipulated GitHub tags to distribute malware through Composer’s autoloader, granting complete remote access to developer environments. The attackers bypassed direct […] The post Hackers Compromised 233 Versions of Laravel-Lang Packag

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security Hackers Compromised 233 Versions of Laravel-Lang Packages by Hacking 700 GitHub Repos By Guru Baran May 23, 2026 A highly sophisticated supply chain attack has compromised the Laravel-Lang ecosystem, injecting credential-stealing remote code execution backdoors into 233 package versions across 700 GitHub repositories. Discovered in May 2026 by Socket and Aikido, threat actors manipulated GitHub tags to distribute malware through Composer’s autoloader, granting complete remote access to developer environments. The attackers bypassed direct repository commits by exploiting GitHub’s version tagging system to point legitimate tags toward a malicious fork. When developers pulled the affected localization packages via Packagist, the malicious src/helpers.php executed automatically due to Composer’s autoload.files directive. This method effectively hid the malware from standard repository audits while inheriting full web application permissions. The initial infection phase utilizes a stealthy dropper that masquerades as a standard Laravel localization function. It fingerprints the host system using specific hardware metrics and establishes a temporary marker file to prevent redundant executions. Aikido observed that the payload disables SSL verification and fetches a secondary script from an obfuscated command-and-control server, launching it silently via OS-specific methods. Payload Execution Methods Operating System Execution Mechanism Privilege Level Linux Background execution using exec("php ...") Application user macOS Background execution using exec("php ...") Application user Windows Generated .vbs script running via cscript Application user The fetched payload is an extensive PHP credential stealer containing 15 specialized collector modules. It systematically targets sensitive developer secrets, including cloud metadata, database credentials, and environment configuration files. After harvesting the secrets, the malware encrypts the payload using AES-256 and exfiltrates it to the attacker’s infrastructure before deleting itself to evade forensic detection. The malware framework systematically strips the infected machine of high-value configurations and credentials: Cloud access keys for AWS, GCP, Azure, and DigitalOcean. Infrastructure configurations including Kubernetes profiles, Docker tokens, and HashiCorp Vault secrets. Developer assets such as SSH private keys, Git credentials, and shell history files. Saved browser passwords, cryptocurrency wallets, and password manager databases. Security researchers advise immediate rotation of all application secrets, database credentials, and API keys exposed to compromised environments. Development teams must inspect their composer.lock files to block affected Laravel-Lang packages and audit outbound network traffic for suspicious connections. Systems running compromised packages should be entirely rebuilt from known-good images to ensure total eradication of the persistent threat. Indicators of Compromise Type Indicator Domain (C2) flipboxstudio[.]info URL (Payload Fetch) https://flipboxstudio[.]info/payload URL (Exfiltration) https://flipboxstudio[.]info/exfil File Path (Malicious) src/helpers.php File Path (Infection Marker) <tmp>/.laravel_locale/<md5_hash> File Path (Dropped Stealer) <tmp>/.laravel_locale/<12 random hex chars>.php File Path (Windows Launcher) <tmp>/.laravel_locale/<8 random hex chars>.vbs Artifact (Windows) DebugChromium.exe IP Address 169.254.169.254 Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Claude Code RCE Flaw Lets Attackers Execute Commands via Malicious Deeplinks CISA Warns of Microsoft Defender 0-Day Vulnerabilities Exploited in Attacks Flipper Unveils New Flipper One Modular Linux Cyberdeck Malicious JPEG Images Could Trigger PHP Memory Safety Vulnerabilities Hackers Use Single-Letter Go Module Typosquat to Deploy DNS-Based Backdoor Latest News Cyber Security News Hackers Abuse Middle East Telecom Networks for Large-Scale Command-and-Control Operations Cyber Security News World Cup Phishing Campaign Nearly Triples With 203 Unique IP Addresses Cyber Security News Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial Access Cyber Security News Hackers Backdoor Popular art-template npm Package to Launch Watering-Hole Attacks Cyber Security News Hackers Use Six-Layer Persistence to Maintain Access on Compromised FreePBX Systems
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 23, 2026
    Archived
    May 23, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗