Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware Activity
Summary
Hide ▲
Show ▼
A malicious Composer payload in Laravel Lang packages now threatens Linux, macOS, and Windows developers with credential theft. The injected `src/helpers.php` dropper fetches a second-stage stealer from flipboxstudio[.]info and can pull cloud, Git, CI/CD, browser, wallet, and VPN secrets. The attack also hid behind rewritten GitHub tags, making installs look like legitimate releases.
Related Happenings
Laravel Lang organization hit by network compromise
Incident
First: 23.05.2026 23:48
Last: 23.05.2026 23:48
Sources 1
How related:
Security firms StepSecurity, Aikido Security, and Socket warned about the compromise on Friday, warning that attackers had rewritten GitHub tags across four repositories maintained by the Laravel Lang organization rather than publishing entirely new malicious versions.
About this happening:
The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...
Laravel Lang organization hit by network compromise
IncidentHow related: Security firms StepSecurity, Aikido Security, and Socket warned about the compromise on Friday, warning that attackers had rewritten GitHub tags across four repositories maintained by the Laravel Lang organization rather than publishing entirely new malicious versions.
About this happening: The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...
Packagist package.json hook supply chain attack campaign
Campaign
First: 23.05.2026 19:07
Last: 23.05.2026 19:07
Sources 1
About this happening:
A **coordinated supply chain attack campaign** compromised **eight Packagist packages**, creating repeat execution risk for projects that install the affected versions. The malici...
Packagist package.json hook supply chain attack campaign
CampaignAbout this happening: A **coordinated supply chain attack campaign** compromised **eight Packagist packages**, creating repeat execution risk for projects that install the affected versions. The malici...
Laravel-Lang PHP package supply-chain credential-stealing campaign
Campaign
First: 23.05.2026 12:51
Last: 23.05.2026 12:51
Sources 1
How related:
"Rather than publishing a new malicious version, the attacker rewrote every existing git tag in each repository to point at a new malicious commit," explained StepSecurity.
About this happening:
A **software supply-chain campaign** hit **multiple Laravel-Lang PHP packages**, putting consumers at risk of **credential theft** through tampered release tags. Malicious version...
Laravel-Lang PHP package supply-chain credential-stealing campaign
CampaignHow related: "Rather than publishing a new malicious version, the attacker rewrote every existing git tag in each repository to point at a new malicious commit," explained StepSecurity.
About this happening: A **software supply-chain campaign** hit **multiple Laravel-Lang PHP packages**, putting consumers at risk of **credential theft** through tampered release tags. Malicious version...
Megalodon GitHub CI/CD supply-chain campaign
Campaign
First: 22.05.2026 14:55
Last: 22.05.2026 14:55
Sources 1
About this happening:
The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...
Megalodon GitHub CI/CD supply-chain campaign
CampaignAbout this happening: The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...
Actions-cool/issues-helper hit by network compromise
Incident
First: 19.05.2026 08:28
Last: 19.05.2026 08:28
Sources 1
About this happening:
The **actions-cool/issues-helper** GitHub Actions supply-chain compromise let malicious tags run in **CI/CD pipelines**, causing **credential theft** and downstream account risk....
Actions-cool/issues-helper hit by network compromise
IncidentAbout this happening: The **actions-cool/issues-helper** GitHub Actions supply-chain compromise let malicious tags run in **CI/CD pipelines**, causing **credential theft** and downstream account risk....
Timeline
-
23.05.2026 23:48 2 articles · 4d ago
Laravel Lang package compromise disclosed
Initial DisclosureSecurity firms StepSecurity, Aikido Security, and Socket warned that attackers rewrote GitHub tags across laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and possibly laravel-lang/actions to redirect Composer installs to malicious commits. The injected src/helpers.php file loaded a dropper that fetched a second-stage credential stealer from flipboxstudio[.]info, and Packagist removed the malicious versions and temporarily unlisted the affected packages.
Show sources
- Laravel Lang packages hijacked to deploy credential-stealing malware — www.bleepingcomputer.com — 23.05.2026 23:48
- Laravel Lang packages hijacked to deploy credential-stealing malware — www.bleepingcomputer.com — 23.05.2026 23:48