Supply Chain Attack Hijacks Laravel Lang Packages to Deploy Credential‑Stealing Malware
What Happened – Attackers rewrote GitHub tags in four Laravel Lang localization repositories, causing Composer to pull malicious commits that install a cross‑platform credential‑stealer. The malicious code is delivered via a hidden src/helpers.php file that drops a second payload harvesting cloud, CI/CD, SSH, browser, and wallet credentials.
Why It Matters for TPRM –
- Third‑party PHP packages are a common dependency in SaaS, e‑commerce, and internal web applications; a compromised package can silently exfiltrate privileged secrets.
- The attack exploits a GitHub feature rather than a code change, making detection by traditional code‑review processes difficult.
- Organizations that rely on Composer for automated builds may have already propagated the malware across multiple environments.
Who Is Affected – Web‑application developers and their downstream customers across Technology / SaaS, E‑commerce, FinTech, and any sector that builds PHP applications using Composer.
Recommended Actions –
- Immediately audit Composer lockfiles for any of the affected Laravel Lang packages and revert to known‑good versions.
- Enforce signed package verification (e.g., Composer’s
--verifyflag or a trusted package registry). - Rotate all credentials that may have been harvested (cloud API keys, CI/CD tokens, SSH keys, etc.).
- Review GitHub organization permissions; enforce least‑privilege and enable 2FA for all contributors.
Technical Notes – Attack vector: Third‑party dependency via Git tag rewrite (no new version published). No CVE assigned yet. Malware payload downloads additional PHP dropper from flipboxstudio.info, stealing cloud credentials, Kubernetes secrets, Vault tokens, Git credentials, CI/CD secrets, SSH keys, browser data, crypto wallets, password manager entries, VPN configs, and .env files. Source: BleepingComputer