Find notable cyber news and cases, enriched with sources, timelines, and signals.

Laravel Lang credential-stealer dropper delivered through malicious Composer packages

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

A malicious Composer payload in Laravel Lang packages now threatens Linux, macOS, and Windows developers with credential theft. The injected `src/helpers.php` dropper fetches a second-stage stealer from flipboxstudio[.]info and can pull cloud, Git, CI/CD, browser, wallet, and VPN secrets. The attack also hid behind rewritten GitHub tags, making installs look like legitimate releases.

Related Happenings

Atomic-lockfile rootkit-infostealer distribution through AUR packages

Malware Activity
H score3 First: 12.06.2026 20:03 Last: 12.06.2026 20:03 Sources 1

About this happening: **AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...

Laravel Lang organization hit by network compromise

Incident
H score14 First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

How related: Security firms StepSecurity, Aikido Security, and Socket warned about the compromise on Friday, warning that attackers had rewritten GitHub tags across four repositories maintained by the Laravel Lang organization rather than publishing entirely new malicious versions.

About this happening: The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...

Packagist package.json hook supply chain attack campaign

Campaign
H score39 First: 23.05.2026 19:07 Last: 23.05.2026 19:07 Sources 1

About this happening: A **coordinated supply chain attack campaign** compromised **eight Packagist packages**, creating repeat execution risk for projects that install the affected versions. The malici...

Laravel-Lang PHP package supply-chain credential-stealing campaign

Campaign
H score47 First: 23.05.2026 12:51 Last: 23.05.2026 12:51 Sources 1

How related: "Rather than publishing a new malicious version, the attacker rewrote every existing git tag in each repository to point at a new malicious commit," explained StepSecurity.

About this happening: A **software supply-chain campaign** hit **multiple Laravel-Lang PHP packages**, putting consumers at risk of **credential theft** through tampered release tags. Malicious version...

Megalodon GitHub CI/CD supply-chain campaign

Campaign
H score50 First: 22.05.2026 14:55 Last: 22.05.2026 14:55 Sources 1

About this happening: The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...

Timeline

  1. 23.05.2026 23:48 2 articles · 1mo ago

    Laravel Lang package compromise disclosed

    Initial Disclosure

    Security firms StepSecurity, Aikido Security, and Socket warned that attackers rewrote GitHub tags across laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and possibly laravel-lang/actions to redirect Composer installs to malicious commits. The injected src/helpers.php file loaded a dropper that fetched a second-stage credential stealer from flipboxstudio[.]info, and Packagist removed the malicious versions and temporarily unlisted the affected packages.

    Show sources