PHP Supply Chain Attack: Over 700 Laravel-Lang Package Versions Compromised with Credential-Stealing Malware

On May 22, 2026, researchers at Aikido Security, Socket, and StepSecurity uncovered a sophisticated attack against the PHP ecosystem: four packages from the laravel-lang project were backdoored with credential-stealing malware that executes automatically the moment the package is installed via Composer.

What Happened

Attackers gained access to the GitHub repositories using a leaked GitHub Personal Access Token (PAT), likely obtained from an earlier GitHub data breach. With this access, they rewrote every existing release tag across four laravel-lang repositories, redirecting them to malicious commits in a fork they controlled. This compromised 233 versions directly and affected approximately 700 historical versions.

The technique is particularly dangerous because GitHub allows version tags to reference commits from a fork of the same repository. Any developer running composer require or composer update receives malicious code even though the package name and version number appear completely legitimate.

Affected Packages

• laravel-lang/lang — the main Laravel localization library (7,800+ GitHub stars)
• laravel-lang/http-statuses — HTTP status code translations
• laravel-lang/attributes — Eloquent attribute translations
• laravel-lang/actions — common action translations

Attack Mechanism

The initial infection vector was a src/helpers.php file injected into the package's composer.json under the autoload.files key. This causes the malicious code to execute on every PHP request from the moment the package is installed, requiring no further action from the developer.

The Stage 1 dropper fingerprints the system using file paths, hostname, and inode hashes, writes a persistence marker to the temp directory, and obfuscates the C2 domain in integer arrays before contacting the attacker's infrastructure. On Windows it drops a .vbs launcher; on Linux/macOS it uses exec() for background execution.

Payload Analysis

The Stage 2 stealer contains approximately 5,900 lines of PHP code organized into 15 specialized collection modules. Its capabilities include:

• Cloud credentials: AWS, GCP, Azure keys, Kubernetes tokens, Vault
• Repository credentials: SSH, Git, GitHub, GitLab, Bitbucket
• CI/CD data: environment variables, pipeline tokens
• 17+ browser types (Chrome, Firefox, Brave, Edge, etc.)
• Cryptocurrency wallets: Bitcoin, Ethereum, Monero
• Password managers
• Communication platforms: Slack, Discord
• .env files, API tokens for Stripe, PayPal, and similar services
• VPN configurations and SSH keys

All exfiltrated data is encrypted with AES-256 before transmission to the C2 server (flipboxstudio[.]info, endpoints /payload and /exfil). The malware then self-deletes to hinder forensic analysis.

Timeline

• May 22, 2026 — 22:32 UTC: Attack begins against laravel-lang/lang
• May 23, 2026 — 00:00 UTC: Attack complete; laravel-lang/actions compromised
• May 23, 2026: Aikido Security, Socket, and StepSecurity report the incident to Packagist
• May 23, 2026: Packagist removes malicious versions and temporarily unlists affected packages
• May 25, 2026: Advisory updated with additional findings

What You Should Do Now

1. Treat the environment as compromised. If you installed or updated any of the four packages between May 22 and 23, assume that all credentials accessible from that PHP process have been stolen.
2. Rotate all credentials. AWS/GCP/Azure keys, GitHub/GitLab tokens, Stripe/PayPal tokens, SSH keys, database passwords, and any secrets stored in .env files.
3. Do not install these packages until the laravel-lang project confirms repository integrity and Packagist restores the listings.
4. Block the C2 domain: flipboxstudio[.]info at your firewall, DNS, and WAF layers.
5. Audit access logs for outbound connections to that domain since May 22.
6. Review SCM permissions and enforce hardware-backed MFA (FIDO2) on all accounts with write access to repositories.
7. Rebuild from clean images any servers that were running the affected code.

Lessons for PHP Teams

This attack highlights a fundamental risk in the modern package model: trusting a package name and version number is not enough. Teams should use hash pinning in composer.lock, verify package integrity with tools like Socket or Aikido, and regularly audit transitive dependencies in their Laravel projects.

Sources and Documentation

• Aikido Security — Full technical analysis of the attack
• Snyk — Laravel Lang Supply Chain Advisory
• BleepingComputer — Laravel-Lang packages hijacked
• SecurityWeek — Laravel-Lang Packages Poisoned
• CyberSecurityNews — 700 GitHub repos compromised
• Packagist — Supply chain security update