Laravel-Lang Supply Chain Attack Deploys Credential Stealer

A supply chain attack targeting the Laravel-Lang ecosystem has compromised over 700 package versions across four popular PHP packages used for Laravel localization. The malicious code deploys a credential-stealing framework that exfiltrates cloud provider tokens, cryptocurrency wallets, browser data, and CI/CD secrets.

Packagist, the primary PHP package repository, has removed the affected versions. Organizations using these packages should audit their dependency trees and assume credential compromise if any malicious version was installed.

Attack Scope and Timeline

Security researchers at Aikido detected the compromise on May 22-23, 2026, after noticing tags being published in rapid succession—many appearing just seconds apart. The automated pattern suggested tooling rather than manual publishing.

Four packages within the Laravel-Lang organization were poisoned:

• laravel-lang/lang
• laravel-lang/http-statuses
• laravel-lang/attributes
• laravel-lang/actions

Over 700 malicious versions were published across these packages. The attacker exploited GitHub's tag reference system—rather than committing malicious code to the main repositories, they created tags pointing to commits in a fork under their control. This bypassed normal code review processes entirely.

How the Malware Operates

The payload embeds in a file named src/helpers.php that executes automatically via Composer's autoload feature. On every PHP request, the malicious code runs before the application itself.

The stealer generates a unique fingerprint for each host to ensure it executes only once per machine, avoiding detection through repeated network activity. After fingerprinting, it contacts flipboxstudio[.]info to retrieve the actual payload—a 5,900-line PHP credential harvester organized into fifteen specialized collector modules.

Once data collection completes, the stealer encrypts everything with AES-256 before exfiltrating to flipboxstudio[.]info/exfil. The malware then deletes itself to reduce forensic evidence.

Targeted Credentials

The stealer casts a wide net across developer environments:

Cloud Providers:

• AWS access keys, secret keys, and session tokens
• Google Cloud Platform credentials
• Microsoft Azure authentication data
• Kubernetes configuration files and service account tokens

Developer Tools:

• GitHub, GitLab, and CircleCI pipeline credentials
• Docker configuration with registry authentication
• SSH private keys from standard locations
• Git configuration files potentially containing tokens

Browser and Application Data:

• Saved passwords from 17 Chromium-based browsers including Chrome, Edge, Brave, and Vivaldi
• Browser cookies and session tokens
• Password manager databases

Configuration Files:

• All .env files found recursively in project directories
• docker-compose.yml files
• Database connection strings

Connection to Broader Campaign

This attack follows a pattern we've seen escalating throughout 2026. The Shai-Hulud npm malware campaign used similar techniques targeting Node.js developers, and the TanStack supply chain compromise that preceded the Grafana breach demonstrated how package repository attacks translate into downstream infrastructure compromise.

PHP's Composer ecosystem hadn't seen this level of coordinated attack before. The Laravel-Lang packages, while not core Laravel dependencies, enjoy widespread adoption among Laravel developers needing internationalization support.

Remediation Steps

1. Check your composer.lock for any of the four affected packages and their version numbers
2. Rotate all credentials if a malicious version was ever installed, including:
   • Cloud provider API keys (AWS, GCP, Azure)
   • GitHub/GitLab personal access tokens
   • CI/CD pipeline secrets
   • SSH keys that may have been present on affected systems
3. Update to clean versions once Packagist restores verified releases
4. Review access logs on cloud platforms for unauthorized API usage
5. Check cryptocurrency wallets for unauthorized transfers if crypto tooling was present

For teams unsure whether they pulled a compromised version, Composer's cache directory may retain evidence. Check ~/.composer/cache/files/ for the affected package names.

Indicators of Compromise

Exfiltration domain: flipboxstudio[.]info

Malicious file path: src/helpers.php (in affected packages)

Organizations should block the exfiltration domain at the network level and search logs for any prior connections. The domain's registration details and infrastructure suggest connection to previous Composer-targeting campaigns, though attribution remains uncertain.

The Laravel-Lang maintainers are working with Packagist to restore legitimate versions and implement additional publishing safeguards. In the meantime, organizations can pin dependencies to specific commit hashes rather than version tags to avoid future tag-rewriting attacks.