Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Packagist Laravel utility packages delivering a cross-platform RAT

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

Malicious Packagist PHP packages posing as Laravel utilities are delivering a cross-platform RAT that can run on Windows, macOS, and Linux. The payload uses persistent C2 retries and application boot or autoload execution paths, which makes any installation of the affected packages a serious compromise risk.

Related Happenings

Laravel-Lang PHP package supply-chain credential-stealing campaign

Campaign
First: 23.05.2026 12:51 Last: 23.05.2026 12:51 Sources 1

About this happening: A **software supply-chain campaign** hit **multiple Laravel-Lang PHP packages**, putting consumers at risk of **credential theft** through tampered release tags. Malicious version...

Open Happening

Axios package cross-platform RAT delivery

Malware Activity
First: 31.03.2026 16:53 Last: 31.03.2026 16:53 Sources 1

About this happening: A **malicious Axios package payload** now delivers a **remote access trojan** to **Windows, macOS, and Linux** hosts, creating cross-platform compromise risk. The infection begins...

Open Happening

GhostLoader staged npm install payload activity

Malware Activity
First: 24.03.2026 14:00 Last: 24.03.2026 14:00 Sources 1

About this happening: **GhostLoader** is now being delivered through **staged npm install scripts**, turning routine package installation into a route for **data theft** and **cryptocurrency wallet** t...

Open Happening

Npm package ecosystem CanisterWorm exploitation wave

Exploitation Wave
First: 23.03.2026 10:31 Last: 23.03.2026 10:31 Sources 1

About this happening: Attackers expanded the **Trivy** compromise into a **self-propagating CanisterWorm** wave that hit **dozens of npm packages**, creating broad downstream supply-chain risk. The abu...

Open Happening

CanisterWorm self-propagation across npm packages

Malware Activity
First: 21.03.2026 09:28 Last: 21.03.2026 09:28 Sources 1

About this happening: A **self-propagating npm supply-chain worm** tracked as **CanisterSprawl** is abusing **stolen developer npm tokens** to spread through compromised packages. **Socket** and **Step...

Open Happening

Timeline

  1. 04.03.2026 11:37 2 articles · 2mo ago

    Malicious Packagist Laravel utility packages deliver cross-platform RAT

    Initial Disclosure

    Malicious Packagist PHP packages masquerading as Laravel utilities deliver a cross-platform RAT for Windows, macOS, and Linux through nhattuanbl/lara-helper, nhattuanbl/simple-queue, and nhattuanbl/lara-swagger; nhattuanbl/lara-swagger depends on nhattuanbl/lara-helper, while the payload in src/helper.php uses control flow obfuscation, encoded domain names, randomized identifiers, and PHP's stream_socket_client() to connect to helper.leuleu[.]net:2096, send system reconnaissance data, retry every 15 seconds, and support commands for shell execution, PowerShell, screenshots, file download, and file upload. Any Laravel application that installed lara-helper or simple-queue is exposed to persistent remote access and should assume compromise and rotate accessible secrets.

    Show sources
    Open in new tab