惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
CXSECURITY Database RSS Feed - CXSecurity.com
K
Kaspersky official blog
A
Arctic Wolf
Attack and Defense Labs
Attack and Defense Labs
L
LINUX DO - 热门话题
N
News | PayPal Newsroom
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
L
Lohrmann on Cybersecurity
PCI Perspectives
PCI Perspectives
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
The Last Watchdog
The Last Watchdog
B
Blog RSS Feed
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
W
WeLiveSecurity
Know Your Adversary
Know Your Adversary
博客园 - Franky
T
Tenable Blog
T
Tailwind CSS Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Help Net Security
Help Net Security
WordPress大学
WordPress大学
T
The Exploit Database - CXSecurity.com
www.infosecurity-magazine.com
www.infosecurity-magazine.com
博客园 - 司徒正美
阮一峰的网络日志
阮一峰的网络日志
D
Darknet – Hacking Tools, Hacker News & Cyber Security
H
Heimdal Security Blog
TaoSecurity Blog
TaoSecurity Blog
S
Security Affairs
J
Java Code Geeks
小众软件
小众软件
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Apple Machine Learning Research
Apple Machine Learning Research
NISL@THU
NISL@THU
O
OpenAI News
The Cloudflare Blog
月光博客
月光博客
Google Online Security Blog
Google Online Security Blog
V
V2EX
罗磊的独立博客
美团技术团队
博客园 - 三生石上(FineUI控件)
Security Latest
Security Latest
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
C
Cyber Attacks, Cyber Crime and Cyber Security
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Cyberwarzone
Cyberwarzone
L
LINUX DO - 最新话题
Hacker News - Newest:
Hacker News - Newest: "LLM"
大猫的无限游戏
大猫的无限游戏

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
How My Docker Setup Saved Me From a Supply Chain Attack (And Why Yours Should Too)
Hermann D. Schimpf · 2026-05-26 · via DEV Community

Docker security shield


Versión en español aquí.


It's finally Friday! You leave work and go home to work on your side project (yep, that's me). You open your computer and start working on it by running composer update because you want to keep your dependencies up to date.

Next morning, you wake up to the news that a popular Laravel package you use has been compromised. Attackers injected a credential stealer into 233 versions, ready to exfiltrate your SSH keys, cloud credentials, browser data, crypto wallets—the whole digital enchilada 1. Panic sets in. You check your composer.lock. Your heart skips a beat. You have version 15.29.3 of laravel-lang/lang, one of the compromised versions 2.

Been there? I was, on May 22, 2026.

But here's the plot twist: When I dug deeper, I realized my Dockerized PHP setup had just become my unexpected bodyguard. Let me tell you how running PHP through Docker containers added a security layer I never planned for, and why you should consider it too.


1. The Attack: When composer update Goes Rogue

On May 22, 2026, attackers compromised the Laravel-Lang organization on GitHub. They didn't just publish a malicious version—they rewrote every git tag across four popular packages to point to their own commits. The payload? A credential stealer disguised as a harmless helper file that runs automatically via Composer's autoloader.

What it stole is nightmare fuel:

  • Cloud credentials (AWS, GCP, Azure)
  • SSH private keys
  • Browser passwords and cookies
  • Password manager vaults
  • Crypto wallets
  • .env files with secrets
  • And basically anything else that looks valuable

The attack hit during a 15-minute window and compromised 233 versions across four packages. If you ran composer update between 22:32 UTC and midnight on May 22, you might have invited a digital burglar into your machine.


2. My Setup: PHP in a Box

Here's how I run PHP and Composer on my local machine:

The php-docker script spins up a Docker container and runs PHP inside it:

  • Gets the current working directory from where the command is being executed (ex: ~/Projects/my-awesome-project)
  • Mounts the current working directory as a volume in the container and changes to it
  • Does NOT mount any other directory, like /tmp, /home, /root, etc.

/usr/local/bin/php-docker

#!/bin/bash

# get specified version and remove it from arguments
PHP_VERSION=$1
shift

# get the current working directory from where the command is being executed
ORIGIN_PWD="$PWD"
# move into the dockerized php project directory
cd "/opt/docker/php-fpm/" || exit

# execute the specified php version container
command docker compose run --rm --remove-orphans --quiet --quiet-build --quiet-pull \
  --interactive \
  # mount the origin execution directory and cd to it
  --volume "${ORIGIN_PWD}":"${ORIGIN_PWD}" \
  --workdir "${ORIGIN_PWD}" \
  php-fpm-"$PHP_VERSION" php "$@"

# go back to original directory
cd "$ORIGIN_PWD" || exit

Instead of the php binary, I have a small script that runs the php-docker script with the specified PHP version (obtained from the filename):

/usr/local/bin/php

#!/bin/bash

# get the version from the filename
PHP_VERSION=${0##*-}
# validate version format
if [ ${#PHP_VERSION} -ne 3 ]; then
  # fallback to latest stable version
  PHP_VERSION=8.5
fi

# execute php-docker specifying version and passing through arguments
command php-docker "$PHP_VERSION" "$@"

And multiple links to the same script:

$ ls /usr/local/bin/php*
/usr/local/bin/php
/usr/local/bin/php-5.6 -> php
/usr/local/bin/php-7.4 -> php
/usr/local/bin/php-8.0 -> php
...
/usr/local/bin/php-8.5 -> php
/usr/local/bin/php-docker -> /opt/docker/php-fpm/bin/php-docker

That way, any php-* cli execution will run inside the Docker container of the specified PHP version.

$ php -v
PHP 8.5.5 (cli) (built: Apr 18 2026 10:39:21) (ZTS)
Copyright (c) The PHP Group
Built by HDS Solutions
Zend Engine v4.5.5, Copyright (c) Zend Technologies
    with Xdebug v3.5.1, Copyright (c) 2002-2026, by Derick Rethans
    with Zend OPcache v8.5.5, Copyright (c), by Zend Technologies

$ php-7.4 -v
PHP 7.4.33 (cli) (built: Apr 18 2026 10:47:16) ( ZTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Xdebug v3.1.6, Copyright (c) 2002-2022, by Derick Rethans

My composer command follows the same pattern, everything runs inside Docker.

/usr/local/bin/composer

#!/bin/bash

PHP_VERSION=${0##*-}
if [ ${#PHP_VERSION} -ne 3 ]; then
  PHP_VERSION=8.5
fi

# execute php-docker specifying version and passing through arguments to composer cli
command php-docker "$PHP_VERSION" /usr/bin/composer "$@"

Why did I set this up? Originally to support multiple PHP versions, have ZTS builds, and easily migrate when you buy a new laptop. But as I would discover, this architectural choice had an unintended security benefit.


3. What Docker Protected Me From

When the Laravel-Lang payload executes, it hunts for credentials in specific locations. Here's what my Docker setup blocked:

a) Home Directory Secrets: Fort Knox Style

The stealer targets:

  • ~/.ssh/ - SSH private keys
  • ~/.aws/credentials - AWS credentials
  • ~/.config/gcloud/ - GCP credentials
  • ~/.azure/ - Azure credentials
  • .git-credentials, .netrc, .npmrc, .pypirc
  • Browser data (Chrome, Firefox profiles)
  • Password manager vaults (KeePass, 1Password)
  • Crypto wallets

Result: None of these exist in the container. The container's home directory is "empty". The attacker finds nothing.

/opt/docker/php-fpm/docker-compose.yml

services:
    php-fpm-8.5:
        container_name: php-fpm-zts-8.5
        domainname: php-fpm-8.5.vanilla
        build:
            args:
                user: ${USER:-http}
                uid: 33
                PHP_VERSION: 8.5
            context: ./docker
            dockerfile: common/Dockerfile
        volumes:
            - ./docker/common/php/00-php.ini:/usr/local/etc/php/conf.d/00-php.ini:ro
            - ./docker/common/php-fpm/www.conf:/usr/local/etc/php-fpm.d/www-docker.conf:ro
            - ./docker/8.5/home/.composer/cache:/home/http/.composer/cache:rw
            - ./docker/8.5/home/.composer/vendor:/home/http/.composer/vendor:rw

    php-fpm-8.4:
        container_name: php-fpm-zts-8.4
        domainname: php-fpm-8.4.vanilla
        build:
            args:
                user: ${USER:-http}
                uid: 33
                PHP_VERSION: 8.4
            context: ./docker
            dockerfile: common/Dockerfile
        ...

    php-fpm-8.3:
        container_name: php-fpm-zts-8.3
        ...

    ...

b) System-Level Secrets: Isolated

The payload also scans:

  • /etc/kubernetes/admin.conf - Kubernetes configs
  • /var/run/secrets/ - CI/CD secrets
  • System credential managers

Result: The container doesn't have access to host system directories. These are isolated.

c) Browser and Password Data: Nonexistent

The stealer looks for browser databases, password manager vaults, and crypto wallets.

Result: No browser, no password manager, no wallets in the container. Just PHP and your code.


4. What Docker Didn't Protect

Or why I'm not throwing a victory parade just yet

My Docker setup added a significant security layer, but it's not perfect. Here's what remains vulnerable:

a) Project Directory Secrets: The Open Door

The container mounts your project directory. If your .env file contains secrets, the stealer can read it:

.env

AWS_ACCESS_KEY_ID=1U0o...pzdZ
AWS_SECRET_ACCESS_KEY=KKaY...aKEd
REDIS_PASSWORD=XSFK...y4XV

Mitigation: Use local-only services (I'll explain in a moment).

b) External API Keys: Still at Risk

Your .env might contain external API keys:

  • Google Maps API keys
  • reCAPTCHA keys
  • Third-party service tokens

These get exfiltrated if the payload runs.

Mitigation: Rotate these keys if you ran composer during the attack window.


5. My Defense Strategy: Local-Everything

To minimize what the stealer could steal, I use local-only services for development (all of them also dockerized):

# .env configuration
DB_CONNECTION=dynamodb
DYNAMODB_ENDPOINT=http://localhost:8000  # Local DynamoDB

BROADCAST_CONNECTION=pusher
PUSHER_HOST=soketi.vanilla  # Local Soketi instance

REDIS_HOST=redis-8.6.vanilla  # Local Redis
REDIS_PASSWORD=a3BM...6nys

AWS_ENDPOINT=https://minio.vanilla  # Local MinIO
AWS_ACCESS_KEY_ID=0onp...ZHjn
AWS_SECRET_ACCESS_KEY=fzfK...Aear

Why this works: Even if these credentials get stolen, they're useless to an attacker. They only work against localhost or my local network domains (*.vanilla). The attacker can't reach my local development infrastructure.

What I keep external: Google Maps API key, reCAPTCHA keys. These are the weak points, but they're low-risk compared to cloud provider credentials.


6. The Verdict: Docker as Security Layer

My Docker setup wasn't designed for security, it was designed for consistency across PHP versions and easy laptop migration. But that architectural choice provided significant protection against this supply chain attack, completely by accident.

When I first discovered my version was compromised, I felt that familiar cold sweat. I checked my SSH keys, my AWS credentials, my browser data—everything was there. My heart rate slowly returned to normal as I realized: the payload had run, but it had nowhere to look.

If I had been running PHP directly on my host machine, the story would have been very different. The stealer would have found my SSH keys, my cloud credentials, my browser passwords, maybe even my crypto wallet. That's not just a security breach—that's identity theft waiting to happen.

What Docker gave me:

  • Isolation from home directory secrets—my SSH keys, AWS credentials, and browser data live outside the container
  • No access to system-level credentials—Kubernetes configs, CI/CD secrets, and system credential managers are unreachable
  • No browser or password manager data—there's no Chrome, Firefox, or KeePass inside the container
  • Containerized execution that limits what the payload can see—the attacker gets a sterile environment with nothing valuable

What Docker didn't give me:

  • Protection against .env file secrets in project directory—if I had production credentials there, they'd be gone
  • Protection against environment variable leaks—secrets passed to the container are still accessible
  • Protection against external API key theft—Google Maps and reCAPTCHA keys would still be exfiltrated

The bottom line: Docker reduced my attack surface significantly. Instead of losing SSH keys, cloud credentials, browser data, and crypto wallets, the worst-case scenario would be losing local development credentials and a few API keys. That's the difference between "my weekend is ruined" and "my life is ruined".


7. How to sleep better at night: Harden Your Setup

If you're not running PHP/Composer in Docker, consider it. The consistency benefits alone are worth it, and the security upside is a nice bonus. If you are already using Docker, here's how to make it even more secure:

a) Never Mount Home Directory

Obvious, but critical. Your home directory contains the crown jewels: SSH keys, cloud credentials, browser data, password managers. If you mount it, you're inviting the attacker into your house.

b) Use Local-Only Services for Development

Don't use production cloud credentials in development. Run local instances of everything:

  • Databases (MySQL, PostgreSQL, DynamoDB Local)—Docker Compose makes this trivial
  • Redis—spin up a container, never touch a real Redis instance
  • Object storage (MinIO for S3-compatible)—mocks AWS S3 behavior locally
  • Message queues—local RabbitMQ or equivalent

The goal: if credentials leak, they're useless because they only work against localhost.

c) Separate .env Files

Keep .env out of version control (obviously). Use different .env files for local, staging, and production. Never, ever commit your secrets. If you do by accident, rotate them immediately.

Git history is forever.

d) Don't Pass Secrets via Environment Variables

For development, use local services. For production, use secret management systems (e.g., AWS Secrets Manager). Passing secrets via environment variables is convenient, but it's also leaky-process lists, debugging tools, and logging frameworks can expose them.

e) Monitor for IOCs

If you want to know if you were affected, look for:

  • Network traffic to flipboxstudio[.]info—if you have traffic logging (e.g., I use Pi-Hole 3)
  • Files in /tmp/.laravel_locale/—the dropper writes infection markers here
  • Suspicious PHP processes—orphaned PHP processes with no parent are a red flag

f) Lock Your Dependencies

Use composer.lock and verify commit SHAs. The attack rewrote tags, locked commit SHAs from before the attack window are safe. When you pull dependencies, check the commit SHA matches what you expect.

Also, a good practice is to run composer outdated, manually go through the CHANGELOG of each package, and after reviewing the changes, update the package to the latest version. If the changes don't add any needed features, or fix any security vulnerabilities, you can safely ignore the update.


8. What's Next?

Docker isn't a silver bullet, but it's a powerful layer in your security strategy. The Laravel-Lang attack showed us that supply chain attacks are real, sophisticated, and increasingly common.

In my case, a decision made for development consistency became a security feature. I set up Docker to manage multiple PHP versions and ZTS builds, but I accidentally built a security bunker.

Sometimes the best security is the kind you didn't know you had.

But here's the thing: Docker is just one piece of the puzzle. You also need dependency locking, secret management, network monitoring, and a healthy dose of paranoia. Security isn't a destination, it's a journey, and supply chain attacks are just one hazard along the way.

The next time you're setting up a development environment, think about the security implications of your choices. Docker, local services, isolated networks, these aren't just conveniences. They're armor.

And if you're still running PHP directly on your host machine? Well, maybe it's time to put it in a box. Your future self might thank you.


Question for you: Do you run your development tools in Docker or directly on your host? Have you ever considered the security implications of that choice? Share below, I'm curious how others handle this.


  1. https://www.aikido.dev/blog/supply-chain-attack-targets-laravel-lang-packages-with-credential-stealer ↩

  2. https://x.com/AikidoSecurity/status/2057959626692526098 ↩

  3. https://pi-hole.net/ ↩