{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/laravel-lang/http-statuses/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["laravel-lang/lang","laravel-lang/http-statuses","laravel-lang/attributes","laravel-lang/actions"],"_cs_severities":["high"],"_cs_tags":["supply-chain-attack","credential-theft","infostealer","composer","php","github"],"_cs_type":"advisory","_cs_vendors":["Laravel"],"content_html":"\u003cp\u003eA supply chain attack compromised the Laravel Lang localization packages, impacting developers using Composer to manage dependencies. Starting around May 22, 2026, attackers rewrote GitHub tags across four repositories maintained by the Laravel Lang organization instead of publishing new malicious versions. This allowed the attackers to distribute malicious code through existing, seemingly legitimate release tags. The affected packages are laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and possibly laravel-lang/actions. The Laravel Lang packages are third-party localization packages and are not part of the official Laravel project. Security firms estimate that hundreds of historical versions may have been affected by this campaign.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttackers compromised a GitHub account with organization-wide push access for the Laravel Lang organization.\u003c/li\u003e\n\u003cli\u003eThe attackers rewrote existing Git tags in the affected repositories (laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, laravel-lang/actions) to point to malicious commits.\u003c/li\u003e\n\u003cli\u003eDevelopers unknowingly installed compromised Laravel Lang packages via Composer, pulling down the malicious commits.\u003c/li\u003e\n\u003cli\u003eThe malicious commits introduced a file named \u003ccode\u003esrc/helpers.php\u003c/code\u003e, which was automatically loaded due to configuration in \u003ccode\u003ecomposer.json\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esrc/helpers.php\u003c/code\u003e acted as a dropper, downloading a second-stage PHP payload from the C2 server at flipboxstudio[.]info.\u003c/li\u003e\n\u003cli\u003eThe downloaded PHP payload functioned as a cross-platform credential stealer, targeting cloud credentials, Kubernetes secrets, Vault tokens, Git credentials, CI/CD secrets, SSH keys, browser data, cryptocurrency wallets, password managers, VPN configurations, and local \u003ccode\u003e.env\u003c/code\u003e configuration files.\u003c/li\u003e\n\u003cli\u003eOn Windows systems, the PHP payload extracted and executed a base64-encoded executable named \u0026lsquo;DebugElevator\u0026rsquo; to steal browser credentials.\u003c/li\u003e\n\u003cli\u003eThe collected sensitive data was encrypted and sent back to the C2 server at flipboxstudio[.]info.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack exposed developers using the affected Laravel Lang packages to credential-stealing malware. The malware targeted a wide range of sensitive information, including cloud credentials, secrets, and keys. Successful exfiltration could lead to unauthorized access to cloud infrastructure, code repositories, and other sensitive systems. Compromised credentials can be used for further attacks, data breaches, or financial theft. While the exact number of affected developers remains unknown, the popularity of Laravel Lang suggests a potentially wide impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview installed versions of Laravel Lang packages and compare against a known-good manifest to identify compromised versions.\u003c/li\u003e\n\u003cli\u003eRotate all potentially exposed credentials, including cloud credentials, API keys, and secrets, especially if using any of the affected Laravel Lang packages.\u003c/li\u003e\n\u003cli\u003eInspect systems for indicators of compromise, such as outbound connections to the C2 domain flipboxstudio[.]info.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect PHP Dropper Downloading Payload\u0026rdquo; to identify similar dropper behavior in web server logs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Windows Executable Dropped by PHP\u0026rdquo; to identify the \u0026lsquo;DebugElevator\u0026rsquo; infostealer execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-23T20:51:26Z","date_published":"2026-05-23T20:51:26Z","id":"https://feed.craftedsignal.io/briefs/2026-05-laravel-supply-chain/","summary":"Attackers compromised Laravel Lang packages by rewriting GitHub tags, distributing a credential-stealing malware targeting cloud credentials, secrets, keys, browser data, and cryptocurrency wallets across Windows, Linux, and macOS systems.","title":"Laravel Lang Packages Hijacked in Credential-Stealing Supply Chain Attack","url":"https://feed.craftedsignal.io/briefs/2026-05-laravel-supply-chain/"}],"language":"en","title":"CraftedSignal Threat Feed — Laravel-Lang/Http-Statuses","version":"https://jsonfeed.org/version/1.1"}