Compromise of Laravel-Lang PHP Packages Results in Cross-Platform Credential Stealer Deployment via Supply Chain Attack

First reported

23.05.2026 12:51

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A coordinated supply chain compromise has affected multiple Laravel-Lang PHP packages—including laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions—resulting in the delivery of a multi-platform credential-stealing framework. The attack involved over 700 compromised package versions published within seconds of each other on May 22–23, 2026, suggesting automated mass tagging after likely compromise of organization-level credentials or release infrastructure. A malicious backdoor embedded in src/helpers.php executes automatically via Composer’s autoload.files mechanism on every PHP request in infected applications. The dropper retrieves a PHP-based cross-platform payload from flipboxstudio.info, which deploys platform-specific stealers: a Visual Basic Script on Windows (executed via cscript), and shell execution on Linux/macOS. The malware performs extensive credential harvesting across cloud providers, CI/CD systems, version control, cryptocurrency wallets, browsers, password managers, VPNs, and application tokens (e.g., Discord, Slack, Outlook, FileZilla), before exfiltrating encrypted data to flipboxstudio.info and self-deleting.

Timeline

23.05.2026 12:51 1 articles · 1h ago

Laravel-Lang PHP Package Supply Chain Compromise Delivers Cross-Platform Credential Stealer
Multiple Laravel-Lang PHP packages were compromised and republished with malicious backdoors on May 22–23, 2026. The attack resulted in automatic execution of a multi-platform credential stealer via Composer autoload. The dropper retrieved a PHP-based payload from flipboxstudio.info that exfiltrates credentials from cloud providers, CI/CD systems, cryptocurrency wallets, browsers, password managers, VPNs, and application tokens before self-deleting.
Show sources

Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer — thehackernews.com — 23.05.2026 12:51
Open in new tab

Information Snippets

Compromised Laravel-Lang packages: laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, laravel-lang/actions.
First reported: 23.05.2026 12:51

1 source, 1 article
Show sources
- Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer — thehackernews.com — 23.05.2026 12:51
Over 700 package versions were republished across May 22–23, 2026, with versions often appearing seconds apart, indicating automated mass tagging.
First reported: 23.05.2026 12:51

1 source, 1 article
Show sources
- Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer — thehackernews.com — 23.05.2026 12:51
Attacker likely gained access to organization-level credentials, repository automation, or release infrastructure to facilitate the supply chain compromise.
First reported: 23.05.2026 12:51

1 source, 1 article
Show sources
- Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer — thehackernews.com — 23.05.2026 12:51
Malicious payload delivered via src/helpers.php embedded in version tags and registered in composer.json under autoload.files, ensuring automatic execution on every PHP request.
First reported: 23.05.2026 12:51

1 source, 1 article
Show sources
- Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer — thehackernews.com — 23.05.2026 12:51
Dropper contacts C2 domain flipboxstudio.info to fetch a cross-platform PHP credential stealer (~5,900 lines) containing 15 collector modules.
First reported: 23.05.2026 12:51

1 source, 1 article
Show sources
- Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer — thehackernews.com — 23.05.2026 12:51
Windows payload delivered as a VBScript launcher executed via cscript; Linux/macOS payload executed via exec().
First reported: 23.05.2026 12:51

1 source, 1 article
Show sources
- Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer — thehackernews.com — 23.05.2026 12:51
Malware generates a unique per-host marker (MD5 based on directory path, architecture, inode) to ensure single execution per machine and evade detection.
First reported: 23.05.2026 12:51

1 source, 1 article
Show sources
- Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer — thehackernews.com — 23.05.2026 12:51
Collected data includes IAM roles, cloud access tokens (AWS, GCP, Azure), CI/CD tokens (Jenkins, GitLab, GitHub Actions), cryptocurrency wallet seeds, browser cookies and history, password manager vaults, VPN configurations, RDP files, and application session tokens.
First reported: 23.05.2026 12:51

1 source, 1 article
Show sources
- Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer — thehackernews.com — 23.05.2026 12:51
Exfiltrated data is encrypted with AES-256 and sent to flipboxstudio.info/exfil; malware then deletes itself from disk to hinder forensic analysis.
First reported: 23.05.2026 12:51

1 source, 1 article
Show sources
- Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer — thehackernews.com — 23.05.2026 12:51

Summary

Timeline

Laravel-Lang PHP Package Supply Chain Compromise Delivers Cross-Platform Credential Stealer

Information Snippets