Laravel Lang Packages Hijacked in Credential-Stealing Supply Chain Attack

A supply chain attack compromised the Laravel Lang localization packages, impacting developers using Composer to manage dependencies. Starting around May 22, 2026, attackers rewrote GitHub tags across four repositories maintained by the Laravel Lang organization instead of publishing new malicious versions. This allowed the attackers to distribute malicious code through existing, seemingly legitimate release tags. The affected packages are laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and possibly laravel-lang/actions. The Laravel Lang packages are third-party localization packages and are not part of the official Laravel project. Security firms estimate that hundreds of historical versions may have been affected by this campaign.

Attack Chain

1. Attackers compromised a GitHub account with organization-wide push access for the Laravel Lang organization.
2. The attackers rewrote existing Git tags in the affected repositories (laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, laravel-lang/actions) to point to malicious commits.
3. Developers unknowingly installed compromised Laravel Lang packages via Composer, pulling down the malicious commits.
4. The malicious commits introduced a file named src/helpers.php, which was automatically loaded due to configuration in composer.json.
5. src/helpers.php acted as a dropper, downloading a second-stage PHP payload from the C2 server at flipboxstudio[.]info.
6. The downloaded PHP payload functioned as a cross-platform credential stealer, targeting cloud credentials, Kubernetes secrets, Vault tokens, Git credentials, CI/CD secrets, SSH keys, browser data, cryptocurrency wallets, password managers, VPN configurations, and local .env configuration files.
7. On Windows systems, the PHP payload extracted and executed a base64-encoded executable named ‘DebugElevator’ to steal browser credentials.
8. The collected sensitive data was encrypted and sent back to the C2 server at flipboxstudio[.]info.

Impact

This supply chain attack exposed developers using the affected Laravel Lang packages to credential-stealing malware. The malware targeted a wide range of sensitive information, including cloud credentials, secrets, and keys. Successful exfiltration could lead to unauthorized access to cloud infrastructure, code repositories, and other sensitive systems. Compromised credentials can be used for further attacks, data breaches, or financial theft. While the exact number of affected developers remains unknown, the popularity of Laravel Lang suggests a potentially wide impact.

Recommendation

• Review installed versions of Laravel Lang packages and compare against a known-good manifest to identify compromised versions.
• Rotate all potentially exposed credentials, including cloud credentials, API keys, and secrets, especially if using any of the affected Laravel Lang packages.
• Inspect systems for indicators of compromise, such as outbound connections to the C2 domain flipboxstudio[.]info.
• Deploy the Sigma rule “Detect PHP Dropper Downloading Payload” to identify similar dropper behavior in web server logs.
• Deploy the Sigma rule “Detect Windows Executable Dropped by PHP” to identify the ‘DebugElevator’ infostealer execution.