Malicious Laravel Packages Deploy Cross-Platform RAT via Packagist
Summary
Hide ▲
Show ▼
Malicious PHP packages on Packagist, disguised as Laravel utilities, deploy a cross-platform remote access trojan (RAT) affecting Windows, macOS, and Linux systems. The packages 'nhattuanbl/lara-helper' and 'nhattuanbl/simple-queue' contain obfuscated PHP code that connects to a C2 server, enabling full remote access to compromised hosts. The RAT supports various commands, including system reconnaissance, shell execution, and file operations. The packages remain available for download, and users are advised to assume compromise, remove the packages, and audit their systems.
Timeline
-
04.03.2026 11:37 1 articles · 2h ago
Malicious Laravel Packages Deploy Cross-Platform RAT via Packagist
Cybersecurity researchers have identified malicious PHP packages on Packagist that deploy a cross-platform RAT affecting Windows, macOS, and Linux systems. The packages 'nhattuanbl/lara-helper' and 'nhattuanbl/simple-queue' contain obfuscated PHP code that connects to a C2 server, enabling full remote access to compromised hosts. The RAT supports various commands, including system reconnaissance, shell execution, and file operations. The packages remain available for download, and users are advised to assume compromise, remove the packages, and audit their systems.
Show sources
- Fake Laravel Packages on Packagist Deploy RAT on Windows, macOS, and Linux — thehackernews.com — 04.03.2026 11:37
Information Snippets
-
The malicious packages are 'nhattuanbl/lara-helper' (37 downloads), 'nhattuanbl/simple-queue' (29 downloads), and 'nhattuanbl/lara-swagger' (49 downloads).
First reported: 04.03.2026 11:371 source, 1 articleShow sources
- Fake Laravel Packages on Packagist Deploy RAT on Windows, macOS, and Linux — thehackernews.com — 04.03.2026 11:37
-
'nhattuanbl/lara-swagger' lists 'nhattuanbl/lara-helper' as a dependency, causing the RAT to be installed.
First reported: 04.03.2026 11:371 source, 1 articleShow sources
- Fake Laravel Packages on Packagist Deploy RAT on Windows, macOS, and Linux — thehackernews.com — 04.03.2026 11:37
-
The RAT uses control flow obfuscation, encoded domain names, and randomized identifiers to evade detection.
First reported: 04.03.2026 11:371 source, 1 articleShow sources
- Fake Laravel Packages on Packagist Deploy RAT on Windows, macOS, and Linux — thehackernews.com — 04.03.2026 11:37
-
The RAT connects to a C2 server at helper.leuleu[.]net:2096 and supports commands like 'ping', 'info', 'cmd', 'powershell', 'run', 'screenshot', 'download', 'upload', and 'stop'.
First reported: 04.03.2026 11:371 source, 1 articleShow sources
- Fake Laravel Packages on Packagist Deploy RAT on Windows, macOS, and Linux — thehackernews.com — 04.03.2026 11:37
-
The RAT is resilient to common PHP hardening configurations by probing disable_functions and using available shell execution methods.
First reported: 04.03.2026 11:371 source, 1 articleShow sources
- Fake Laravel Packages on Packagist Deploy RAT on Windows, macOS, and Linux — thehackernews.com — 04.03.2026 11:37
-
The C2 server is currently non-responsive, but the RAT retries the connection every 15 seconds.
First reported: 04.03.2026 11:371 source, 1 articleShow sources
- Fake Laravel Packages on Packagist Deploy RAT on Windows, macOS, and Linux — thehackernews.com — 04.03.2026 11:37
-
The threat actor has published three clean libraries ('nhattuanbl/lara-media', 'nhattuanbl/snooze', 'nhattuanbl/syslog') to build credibility.
First reported: 04.03.2026 11:371 source, 1 articleShow sources
- Fake Laravel Packages on Packagist Deploy RAT on Windows, macOS, and Linux — thehackernews.com — 04.03.2026 11:37
-
The RAT runs in the same process as the web application, granting full remote shell access and the ability to read and write arbitrary files.
First reported: 04.03.2026 11:371 source, 1 articleShow sources
- Fake Laravel Packages on Packagist Deploy RAT on Windows, macOS, and Linux — thehackernews.com — 04.03.2026 11:37