- What: Four
laravel-lang/*Composer packages were backdoored with a 5,900-line PHP credential stealer (served fromflipboxstudio[.]info), auto-executed viaautoload.fileson every PHP request — 700+ malicious versions published May 22-23, 2026. - Impact: Any Laravel, Symfony, or PHPUnit app that ran
composer installduring the window silently received the stealer; it harvests cloud IAM keys (AWS/GCP/Azure/K8s), crypto wallet seeds, browser credentials, SSH keys, CI/CD tokens, and.envfiles, then AES-256-encrypts and exfils them before self-deleting. - Fix / mitigation: Audit
composer.lockforlaravel-lang/lang,laravel-lang/http-statuses,laravel-lang/attributes, orlaravel-lang/actionsversions dated May 22-23 2026; upgrade to clean releases, then rotate all credentials accessible from the affected host. - Who's at risk: Any PHP development environment or CI pipeline that automatically installs these packages without dependency pinning or supply-chain scanning (Socket Security / StepSecurity).
A sophisticated supply chain attack has compromised multiple PHP packages within the Laravel-Lang ecosystem, delivering a comprehensive cross-platform credential stealer to thousands of development environments. Security researchers from Socket, StepSecurity, and Aikido Security have identified over 700 malicious versions published across four core packages between May 22-23, 2026, indicating an organization-level compromise rather than isolated package tampering.
The affected packages—laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions—were compromised through what researchers believe was unauthorized access to organization-level credentials or release infrastructure. The rapid succession of malicious versions appearing seconds apart points to automated mass tagging, suggesting attackers gained deep access to the Laravel-Lang organization's publishing pipeline.
Automatic Execution Through Composer Autoloading
The attack's effectiveness stems from its abuse of PHP's standard autoloading mechanism. Attackers injected a malicious file, src/helpers.php, into each compromised package and registered it in the composer.json autoload.files configuration. This ensures the payload executes automatically whenever any PHP application loads its dependencies—no user interaction, class instantiation, or method calls required.
Every Laravel application executes 'require __DIR__."/vendor/autoload.php"' on startup. Because the malicious helpers.php file is registered in autoload.files, the backdoor runs automatically on every PHP request handled by compromised applications. This affects Symfony, PHPUnit, and most PHP frameworks that follow the same pattern.
The dropper implements platform detection to deliver appropriate payloads. On Windows systems, it deploys a Visual Basic Script launcher executed via cscript. Linux and macOS systems receive direct PHP-based stealer execution via exec(). The malware generates a unique per-host marker using an MD5 hash combining directory path, system architecture, and inode to ensure single execution per machine, reducing detection risk while maintaining persistence across the infrastructure.
Comprehensive Credential Harvesting Capabilities
The payload retrieved from the attacker-controlled server flipboxstudio[.]info represents a 5,900-line PHP credential stealer organized into fifteen specialized collector modules. This modular architecture enables systematic harvesting of credentials across cloud platforms, development tools, cryptocurrency wallets, and authentication systems.
Cloud and infrastructure targets include IAM roles and instance identity documents from AWS metadata endpoints, Google Cloud application default credentials, Microsoft Azure access tokens and service principal profiles, and Kubernetes Service Account tokens. The stealer specifically queries cloud metadata endpoints and extracts authentication tokens for DigitalOcean, Heroku, Vercel, Netlify, Railway, and Fly.io, along with HashiCorp Vault tokens and CI/CD credentials from Jenkins, GitLab Runners, GitHub Actions, CircleCI, TravisCI, and ArgoCD.
Cryptocurrency and Browser Data Extraction
The malware targets cryptocurrency assets through multiple vectors. It extracts seed phrases and wallet files from desktop applications including Electrum, Exodus, Atomic, Ledger Live, Trezor, Wasabi, and Sparrow. Browser extensions for MetaMask, Phantom, Trust Wallet, Ronin, Keplr, Solflare, and Rabby are specifically harvested for their stored credentials and private keys.
Browser data collection includes history, cookies, and login credentials from Google Chrome, Microsoft Edge, Mozilla Firefox, Brave, and Opera. Notably, the stealer deploys a Base64-encoded embedded Windows executable specifically designed to bypass Chromium's app-bound encryption (ABE) protections, a relatively new security feature that previously prevented credential extraction from modern Chrome-based browsers.
Password Managers and Development Tools
Password management systems represent high-value targets. The stealer extracts local vaults and browser extension data from 1Password, Bitwarden, LastPass, KeePass, Dashlane, and NordPass. It harvests PuTTY and WinSCP saved sessions, Windows Credential Manager dumps, RDP connection files, and session tokens from Discord, Slack, and Telegram.
- Docker authentication tokens and SSH private keys from configuration files
- Git credentials from .gitconfig, .git-credentials, and .netrc files
- Shell history files and database command histories containing plaintext credentials
- Environment files including .env, wp-config.php, and docker-compose.yml
- Kubernetes cluster configurations and Helm registry authentication
- FTP client credentials from FileZilla, WinSCP, and CoreFTP
- Email credentials from Microsoft Outlook and Thunderbird
- VPN configurations from OpenVPN, WireGuard, NordVPN, ExpressVPN, CyberGhost, and Mullvad
Exfiltration and Anti-Forensics
After collection, the stealer encrypts all harvested data using AES-256 before transmission to flipboxstudio[.]info/exfil. This encryption prevents network monitoring from identifying specific compromised credentials during exfiltration. Following successful transmission, the payload deletes itself from disk to limit forensic evidence and complicate incident response efforts.
Organizations using Laravel-Lang packages must immediately audit composer.lock files for affected versions published May 22-23, 2026. Rotate all credentials accessible from compromised systems, including cloud IAM credentials, API tokens, SSH keys, and service account credentials. Review access logs for unauthorized activity and implement dependency verification using tools like Socket Security or StepSecurity to detect similar supply chain attacks.
Attribution and Broader Implications
The sophistication of this attack—organization-level compromise, automated mass publishing, cross-platform compatibility, and anti-forensic capabilities—indicates experienced threat actors. The timing of rapid successive publishes suggests automated tooling specifically designed for supply chain compromise at scale. The comprehensive credential targeting spanning cloud infrastructure, cryptocurrency, and development tools indicates either a financially motivated operation or preparation for broader follow-on attacks.
This incident underscores fundamental vulnerabilities in package publishing infrastructure. The apparent compromise of organization-level credentials enabled attackers to publish hundreds of malicious versions across multiple packages simultaneously. Without strong multi-factor authentication, code signing requirements, and automated security scanning in the publishing pipeline, package repositories remain vulnerable to similar attacks. Development teams must implement dependency pinning, automated vulnerability scanning, and zero-trust architectures that assume supply chain compromise as a baseline threat rather than an exceptional event.
Questions about your exposure?
RedEye Security provides assessments for organizations that need to understand their real risk.
Talk to us