Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Laravel-Lang PHP package supply-chain credential-stealing campaign

Campaign
First reported
Last updated
Happening score
H score 47
2 unique sources, 2 articles

Summary

Hide ▲

A software supply-chain campaign hit multiple Laravel-Lang PHP packages, putting consumers at risk of credential theft through tampered release tags. Malicious versions were published in rapid succession on May 22-23, 2026, with more than 700 versions identified across the affected packages. The payload embedded in src/helpers.php contacts flipboxstudio[.]info and runs on Windows, Linux, and macOS. The operation matters because the backdoor executes automatically on PHP requests, enabling stealthy theft from compromised applications.

Related Happenings

TrapDoor trap-core.js credential-stealing package malware

Malware Activity
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...

Open Happening

Laravel Lang credential-stealer dropper delivered through malicious Composer packages

Malware Activity
First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

How related: The downloaded PHP payload [VirusTotal] was a large cross-platform credential stealer for Linux, macOS, and Windows that harvests cloud credentials, Kubernetes secrets, Vault tokens, Git credentials, CI/CD secrets, SSH keys, browser data, cryptocurrency wallets, password managers, VPN configurations, and local `.env` configuration files.

About this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...

Open Happening

Laravel Lang organization hit by network compromise

Incident
First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

How related: Security firms StepSecurity, Aikido Security, and Socket warned about the compromise on Friday, warning that attackers had rewritten GitHub tags across four repositories maintained by the Laravel Lang organization rather than publishing entirely new malicious versions.

About this happening: The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...

Open Happening

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers

Malware Activity
First: 18.05.2026 11:57 Last: 18.05.2026 11:57 Sources 1

About this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...

Open Happening

Timeline

  1. 23.05.2026 12:51 1 articles · 4d ago

    Malicious Laravel-Lang tags begin appearing

    Campaign Scope Update

    Malicious tags for Laravel-Lang PHP packages were published on May 22, 2026, marking the beginning of a rapid release-process compromise. The tag pattern points to automated mass tagging or republishing rather than a single isolated package version.

    Show sources
    Open in new tab
  2. 23.05.2026 12:51 1 articles · 4d ago

    Malicious Laravel-Lang tags continue

    Campaign Scope Update

    Malicious tags for Laravel-Lang PHP packages continued on May 23, 2026, with many versions appearing only seconds apart. More than 700 versions were identified across the affected packages, and the pattern suggests possible access to organization-level credentials, repository automation, or release infrastructure.

    Show sources
    Open in new tab
  3. 23.05.2026 12:51 2 articles · 4d ago

    Researchers flag Laravel-Lang supply-chain attack

    Initial Disclosure

    On May 23, 2026, cybersecurity researchers flagged a software supply-chain attack against Laravel-Lang PHP packages such as laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. The malicious src/helpers.php code was registered through composer.json autoload.files, executed automatically on PHP requests, and fetched a PHP credential stealer from flipboxstudio[.]info.

    Show sources
    Open in new tab