Ethical Hacking News
Recently discovered fake Laravel packages on Packagist have been found to deploy a remote access trojan (RAT) that can compromise Windows, macOS, and Linux systems. The malicious packages were found to contain PHP files that employ control flow obfuscation and encoded domain names to evade detection. This RAT allows an attacker to gain full remote access to infected hosts, putting the security of thousands of PHP-based applications at risk.
Fake Laravel packages have been uploaded to Packagist, compromising thousands of PHP-based applications. A remote access trojan (RAT) is deployed through the malicious packages, allowing attackers to gain full remote access to infected systems. The RAT uses sophisticated techniques to evade detection and can send system reconnaissance data to a central server. Malicious packages are still available for download from Packagist, requiring immediate action from PHP developers. RATs can be installed through lara-helper or simple-queue, giving attackers full remote shell access and read/write arbitrary files.
A recent discovery by cybersecurity researchers has shed light on a concerning trend of fake Laravel packages being uploaded to Packagist, the official repository for PHP applications. These malicious packages have been found to deploy a remote access trojan (RAT) that can compromise Windows, macOS, and Linux systems, putting the security of thousands of PHP-based applications at risk.
According to Socket, a cybersecurity firm that discovered the vulnerability, the RAT in question is capable of sending system reconnaissance data to a central server, allowing an attacker to gain full remote access to infected hosts. The malware is designed to be highly resilient, with features such as control flow obfuscation and encoded domain names making it difficult for static analysis tools to detect.
The malicious packages, which include "nhattuanbl/lara-helper," "simple-queue," and "lara-swagger," were found to contain a PHP file named "src/helper.php" that employs several techniques to evade detection. This file is responsible for establishing connections to the C2 server at helper.leuleu[.]net:2096, sending system information, and waiting for commands from the attacker.
The RAT's communication protocol uses TCP and PHP's stream_socket_client() function, which makes it difficult to detect. The list of supported commands includes ping, info, cmd, powershell, run, screenshot, download, upload, stop, and shell execution using disable_functions. This allows the attacker to execute arbitrary shell commands and access sensitive data.
The threat actor behind the operation has published three other libraries ("nhattuanbl/lara-media," "nhattuanbl/snooze," and "nhattuanbl/syslog") that are clean but likely designed to build credibility and trick users into installing the malicious ones.
Researchers believe that any Laravel application that installed lara-helper or simple-queue is running a persistent RAT, giving the attacker full remote shell access, read and write arbitrary files, and an ongoing system profile for each connected host.
The malicious packages are still available for download from Packagist, making it essential for PHP developers to take immediate action. Users who have installed the packages are advised to remove them, rotate all secrets accessible from the application environment, and audit outbound traffic to the C2 server.
In an effort to mitigate this threat, cybersecurity experts recommend that developers adopt a more stringent approach to package management, including regular updates and security audits. Additionally, users should be cautious when installing new packages, especially those with unclear or suspicious origins.
This incident highlights the importance of ongoing security research and monitoring in identifying and addressing potential vulnerabilities before they can be exploited. As the use of open-source software continues to grow, it is crucial that developers and users remain vigilant in protecting themselves against sophisticated threats like this RAT.
Related Information:
https://www.ethicalhackingnews.com/articles/Fake-Laravel-Packages-on-Packagist-Deploy-RAT-on-Windows-macOS-and-Linux-A-Looming-Threat-to-PHP-Applications-ehn.shtml
https://thehackernews.com/2026/03/fake-laravel-packages-on-packagist.html
https://socket.dev/blog/malicious-packagist-packages-disguised-as-laravel-utilities
Published: Wed Mar 4 05:29:35 2026 by llama3.2 3B Q4_K_M
