Laravel Lang organization hit by network compromise
Incident
Summary
Hide ▲
Show ▼
The Laravel Lang organization suffered a repository compromise that let attackers rewrite GitHub tags and ship malicious code through Composer installs. The affected packages included laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and possibly laravel-lang/actions. Security researchers said 233 versions across three repositories were compromised, with about 700 historical versions potentially affected. The tag rewrites turned seemingly legitimate releases into a supply-chain risk for developers.
Related Happenings
Microsoft hit by cyberattack
Incident
H score68
First: 09.06.2026 18:42
Last: 09.06.2026 18:42
Sources 1
About this happening:
A **Microsoft** GitHub repository removal incident in **June 2026** disrupted **continuous integration pipelines** and briefly broke **Azure/functions-action** workflows used by d...
Microsoft hit by cyberattack
IncidentAbout this happening: A **Microsoft** GitHub repository removal incident in **June 2026** disrupted **continuous integration pipelines** and briefly broke **Azure/functions-action** workflows used by d...
Miasma self-replicating supply chain attack campaign targeting open-source repositories
Campaign
H score83
First: 06.06.2026 09:58
Last: 06.06.2026 09:58
Sources 1
About this happening:
The **Miasma** self-replicating supply-chain campaign has reached **73 Microsoft repositories** across **Azure**, **Azure-Samples**, **Microsoft**, and **MicrosoftDocs** on **GitH...
Miasma self-replicating supply chain attack campaign targeting open-source repositories
CampaignAbout this happening: The **Miasma** self-replicating supply-chain campaign has reached **73 Microsoft repositories** across **Azure**, **Azure-Samples**, **Microsoft**, and **MicrosoftDocs** on **GitH...
Miasma GitHub and npm supply-chain campaign
Campaign
H score26
First: 02.06.2026 00:38
Last: 02.06.2026 00:38
Sources 1
About this happening:
The **Miasma** supply-chain campaign has expanded into **npm** and the **Go ecosystem**, with **malicious npm releases** affecting **LeoPlatform** and **RStreams** packages and a...
Miasma GitHub and npm supply-chain campaign
CampaignAbout this happening: The **Miasma** supply-chain campaign has expanded into **npm** and the **Go ecosystem**, with **malicious npm releases** affecting **LeoPlatform** and **RStreams** packages and a...
Latest development: 05.06.2026 21:05
A new Miasma wave is linked to 57 compromised npm packages across more than 286 malicious versions, with malicious installs abusing a 157-byte binding.gyp file for code execution during npm install and then staging additional payloads that inject persistent backdoor files into project repositories and target AI-assisted IDE workflows.
Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware Activity
H score22
First: 23.05.2026 23:48
Last: 23.05.2026 23:48
Sources 1
How related:
The downloaded PHP payload [VirusTotal] was a large cross-platform credential stealer for Linux, macOS, and Windows that harvests cloud credentials, Kubernetes secrets, Vault tokens, Git credentials, CI/CD secrets, SSH keys, browser data, cryptocurrency wallets, password managers, VPN configurations, and local `.env` configuration files.
About this happening:
A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...
Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware ActivityHow related: The downloaded PHP payload [VirusTotal] was a large cross-platform credential stealer for Linux, macOS, and Windows that harvests cloud credentials, Kubernetes secrets, Vault tokens, Git credentials, CI/CD secrets, SSH keys, browser data, cryptocurrency wallets, password managers, VPN configurations, and local `.env` configuration files.
About this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...
Packagist package.json hook supply chain attack campaign
Campaign
H score39
First: 23.05.2026 19:07
Last: 23.05.2026 19:07
Sources 1
About this happening:
A **coordinated supply chain attack campaign** compromised **eight Packagist packages**, creating repeat execution risk for projects that install the affected versions. The malici...
Packagist package.json hook supply chain attack campaign
CampaignAbout this happening: A **coordinated supply chain attack campaign** compromised **eight Packagist packages**, creating repeat execution risk for projects that install the affected versions. The malici...
Timeline
-
23.05.2026 23:48 2 articles · 1mo ago
Laravel Lang organization hit by network compromise
Initial DisclosureAttackers rewrote **GitHub tags** in the **Laravel Lang organization** repositories, turning legitimate-looking package releases into a malware delivery path for **Composer** users.
Show sources
- Laravel Lang packages hijacked to deploy credential-stealing malware — www.bleepingcomputer.com — 23.05.2026 23:48
- Laravel Lang packages hijacked to deploy credential-stealing malware — www.bleepingcomputer.com — 23.05.2026 23:48