Ethical Hacking News
A new supply chain attack campaign has been discovered that targets multiple PHP packages belonging to the Laravel-Lang organization. The affected packages have been compromised to deliver a comprehensive credential-stealing framework, which is believed to have begun on May 22nd and May 23rd, 2026. The attack highlights the vulnerability of software supply chains in the face of modern-day attacks.
In this article, we will delve into the details of the attack and explore the implications for organizations that rely on vulnerable PHP packages. We will also examine the measures that can be taken to prevent such attacks and ensure the security of software supply chains.
Read on to learn more about this recent supply chain attack campaign and how it affects organizations.
A fresh supply chain attack campaign has targeted multiple PHP packages belonging to the Laravel-Lang organization, compromising them to deliver a comprehensive credential-stealing framework. The attack is believed to have begun on May 22nd and May 23rd, 2026, involving rapid publication of multiple versions of the affected packages in seconds apart. The attackers obtained access to organization-level credentials, repository automation, or release infrastructure, allowing them to publish compromised package versions rapidly. The core malicious functionality is located in a file named "src/helpers.php" that embeds a Visual Basic Script launcher and contacts an external server to retrieve a PHP-based cross-platform payload. The payload delivers a credential-stealer that can harvest data from compromised systems, exfiltrate it to the same server, and send it to flipboxstudio[.]info/exfil. The attack highlights the vulnerability of software supply chains in the face of modern-day attacks, emphasizing the need for robust security measures to protect against such attacks.
In a recent development that has sent shockwaves through the cybersecurity community, researchers have discovered a fresh supply chain attack campaign that has targeted multiple PHP packages belonging to the Laravel-Lang organization. The affected packages include laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions, which have been compromised to deliver a comprehensive credential-stealing framework.
The attack, which is believed to have begun on May 22nd and May 23rd, 2026, involved the rapid publication of multiple versions of these packages, with many appearing only seconds apart. According to Aikido Security researcher Ilyas Makari, the timing and pattern of the newly published tags point to a broader compromise of the Laravel Lang organization's release process, rather than a single malicious package version.
"The attackers have managed to obtain access to organization-level credentials, repository automation, or release infrastructure," Makari explained. "This level of access would allow them to publish multiple versions of the same package in rapid succession, which is exactly what was observed."
The core malicious functionality of the attack is located in a file named "src/helpers.php" that is embedded into the version tags. This file is mainly designed to fingerprint the infected host and contact an external server ("flipboxstudio[.]info") to retrieve a PHP-based cross-platform payload.
According to Aikido researcher Ilyas Makari, the dropper delivers a Visual Basic Script launcher on Windows and runs it via cscript. On Linux and macOS, it executes the stealer payload via exec(). "Because this file ['src/helpers.php'] is registered in the composer.json under autoload.files, the backdoor is executed automatically on every PHP request handled by the compromised application," Makari said.
The stealer is equipped to harvest a wide range of data from compromised systems and exfiltrate it to the same server. This includes IAM roles and instance identity documents by querying cloud metadata endpoints, Google Cloud application default credentials, Microsoft Azure access tokens and service principal profiles, Kubernetes Service Account tokens and Helm registry configurations, authentication tokens for DigitalOcean, Heroku, Vercel, Netlify, Railway and Fly.io, HashiCorp Vault tokens, tokens and configurations from Jenkins, GitLab Runners, GitHub Actions, CircleCI, TravisCI, and ArgoCD, seed phrases and files associated with cryptocurrency wallets (Electrum, Exodus, Atomic, Ledger Live, Trezor, Wasabi, and Sparrow) and extensions (MetaMask, Phantom, Trust Wallet, Ronin, Keplr, Solflare, and Rabby), browser history, cookies, and login data from Google Chrome, Microsoft Edge, Mozilla Firefox, Brave, and Opera by using a Base64-encoded embedded Windows executable that bypass Chromium's app-bound encryption (ABE) protections, local vaults and browser extension data for 1Password, Bitwarden, LastPass, KeePass, Dashlane, and NordPass, PuTTY/WinSCP saved sessions, Windows Credential Manager dumps, RDP files, session tokens associated with applications like Discord, Slack, and Telegram, data from Microsoft Outlook, Thunderbird, and popular FTP clients (FileZilla, WinSCP, and CoreFTP), configuration and credential files containing Docker auth tokens, SSH private keys, Git credentials, shell history files, database history files, Kubernetes cluster configurations, .env files, wp-config.php, and docker-compose.yml, environment variables loaded into the PHP process, source control credentials from global and local .gitconfig files, .git-credentials, and .netrc files, VPN configuration and saved login files for OpenVPN, WireGuard, NetworkManager, and commercial VPNs such as NordVPN, ExpressVPN, CyberGhost, and Mullvad.
The fetched payload is a ~5,900 line PHP credential stealer, organized into fifteen specialist collector modules. After collecting everything it can find, the malware encrypts the results with AES-256 and sends them to flipboxstudio[.]info/exfil. It then deletes itself from the disk to limit forensic evidence.
The attack highlights the vulnerability of software supply chains in the face of modern-day attacks. As Makari noted, "The attackers have managed to obtain access to organization-level credentials, repository automation, or release infrastructure. This level of access would allow them to publish multiple versions of the same package in rapid succession."
In light of this recent attack, it is essential for organizations to take a closer look at their software supply chain and ensure that they are implementing robust security measures to protect against such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Supply-Chain-Attack-Campaign-Targets-Multiple-PHP-Packages-to-Deliver-Credential-Stealing-Framework-ehn.shtml
https://thehackernews.com/2026/05/laravel-lang-php-packages-compromised.html
https://www.aikido.dev/blog/supply-chain-attack-targets-laravel-lang-packages-with-credential-stealer
Published: Sat May 23 06:01:37 2026 by llama3.2 3B Q4_K_M
