Ethical Hacking News
Laravel Lang packages have been hijacked by attackers to deploy credential-stealing malware, exposing developers to a sophisticated supply chain attack. The malicious campaign compromised sensitive data, including cloud credentials, Kubernetes secrets, and database credentials, through exploited GitHub version tags. Developers are urged to review installed package versions, rotate exposed credentials, and inspect systems for indicators of compromise to minimize potential damage from this attack.
Laravel Lang packages have been hijacked by attackers to deploy credential-stealing malware. The attack exploits vulnerabilities in GitHub version tags of these packages. Four repositories maintained by the Laravel Lang organization were affected, including laravel-lang/lang, laravel-lang/http-statuses, and laravel-lang/attributes. The attackers rewrote existing git tags to point to a new malicious commit, allowing them to publish malicious code. The injected code acted as a dropper that downloaded a second payload from an attacker-controlled server. The malware harvested sensitive data such as cloud credentials, Kubernetes secrets, and SSH keys. Packagist removed the malicious versions and temporarily unlisted the affected packages to prevent additional installations. Developers are urged to review installed package versions, rotate exposed credentials, and inspect systems for indicators of compromise.
Laravel Lang packages, a set of popular third-party localization packages used by developers worldwide, have been hijacked by attackers to deploy credential-stealing malware. This sophisticated supply chain attack, which exploits vulnerabilities in the GitHub version tags of these packages, has exposed developers to a malicious campaign that compromises their sensitive data.
According to security firms StepSecurity, Aikido Security, and Socket, the attack began on Friday when it was discovered that attackers had rewritten GitHub tags across four repositories maintained by the Laravel Lang organization. The affected packages include laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and possibly laravel-lang/actions. These packages are not part of the official Laravel project but are widely used by developers to enhance the functionality of their applications.
The attackers took advantage of a GitHub feature that allows tags to point to commits in forks of the same repository. Instead of publishing new malicious versions of these packages, they rewrote every existing git tag in each repository to point to a new malicious commit. This allowed them to publish what appeared to be legitimate release tags for the project but actually led to malicious commits stored in an attacker-controlled fork of the repository.
When developers installed the package via Composer, it would download the malicious code while appearing to install legitimate Laravel Lang releases. The injected code acted as a dropper that downloaded a second payload from the attacker's command and control server at flipboxstudio[.]info. This payload was a large cross-platform credential stealer for Linux, macOS, and Windows that harvested cloud credentials, Kubernetes secrets, Vault tokens, Git credentials, CI/CD secrets, SSH keys, browser data, cryptocurrency wallets, password managers, VPN configurations, and local `.env` configuration files.
The malware also contained regular expression patterns used to extract AWS keys, GitHub tokens, Slack tokens, Stripe secrets, database credentials, JWTs, SSH private keys, and cryptocurrency recovery phrases from files and environment variables. The attackers had rewritten these tags across 233 versions in three repositories and approximately 700 historical versions across all four affected packages.
On Windows systems, the PHP payload also extracted a base64-encoded executable that was written to the `%TEMP%` folder as a random `.exe` filename. This executable, named `DebugElevator`, targeted Chrome, Brave, and Edge browsers and extracted App-Bound Encryption keys needed to decrypt stored browser credentials. The researchers noted that an embedded PDB path referenced the Windows account name 'Mero' and contained 'claude,' potentially indicating that AI was used to assist in developing the Windows malware.
The attackers sent the extracted sensitive data back to their command and control server, where it was encrypted and stored. This malicious campaign has highlighted the importance of security measures such as validating package versions, rotating exposed credentials, inspecting systems for indicators of compromise, and checking for historical outbound connections to attacker-controlled servers.
In response to the breach, Packagist, the official package repository for Composer, quickly removed the malicious versions and temporarily unlisted the affected packages to prevent additional installations. The security community is urged to review installed package versions, rotate exposed credentials, inspect systems for indicators of compromise, and check for historical outbound connections to flipboxstudio[.]info to minimize potential damage from this sophisticated supply chain attack.
In conclusion, the hijacking of Laravel Lang packages to deploy credential-stealing malware serves as a stark reminder of the importance of maintaining vigilance in software security. As developers continue to rely on third-party libraries and packages to enhance their applications, they must remain vigilant against the ever-evolving threats that target these vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/Laravel-Lang-Packages-Hijacked-to-Deploy-Credential-Stealing-Malware-A-Sophisticated-Supply-Chain-Attack-Exposes-Developers-ehn.shtml
https://www.bleepingcomputer.com/news/security/laravel-lang-packages-hijacked-to-deploy-credential-stealing-malware/
https://blog.gridinsoft.com/laravel-lang-composer-stealer/
Published: Sat May 23 16:12:25 2026 by llama3.2 3B Q4_K_M
