HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Supply Chain Attack Hijacks Laravel Lang Packages to Deploy Credential‑Stealing Malware

Attackers rewrote GitHub tags in four Laravel Lang localization packages, causing Composer to install a hidden credential‑stealer that harvests cloud, CI/CD, and personal secrets. The supply‑chain compromise puts any PHP application that depends on these packages at risk.

LiveThreat™ Intelligence · 📅 May 24, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Supply Chain Attack Hijacks Laravel Lang Packages to Deploy Credential‑Stealing Malware

What Happened – Attackers rewrote GitHub tags in four Laravel Lang localization repositories, causing Composer to pull malicious commits that install a cross‑platform credential‑stealer. The malicious code is delivered via a hidden src/helpers.php file that drops a second payload harvesting cloud, CI/CD, SSH, browser, and wallet credentials.

Why It Matters for TPRM

  • Third‑party PHP packages are a common dependency in SaaS, e‑commerce, and internal web applications; a compromised package can silently exfiltrate privileged secrets.
  • The attack exploits a GitHub feature rather than a code change, making detection by traditional code‑review processes difficult.
  • Organizations that rely on Composer for automated builds may have already propagated the malware across multiple environments.

Who Is Affected – Web‑application developers and their downstream customers across Technology / SaaS, E‑commerce, FinTech, and any sector that builds PHP applications using Composer.

Recommended Actions

  • Immediately audit Composer lockfiles for any of the affected Laravel Lang packages and revert to known‑good versions.
  • Enforce signed package verification (e.g., Composer’s --verify flag or a trusted package registry).
  • Rotate all credentials that may have been harvested (cloud API keys, CI/CD tokens, SSH keys, etc.).
  • Review GitHub organization permissions; enforce least‑privilege and enable 2FA for all contributors.

Technical Notes – Attack vector: Third‑party dependency via Git tag rewrite (no new version published). No CVE assigned yet. Malware payload downloads additional PHP dropper from flipboxstudio.info, stealing cloud credentials, Kubernetes secrets, Vault tokens, Git credentials, CI/CD secrets, SSH keys, browser data, crypto wallets, password manager entries, VPN configs, and .env files. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/laravel-lang-packages-hijacked-to-deploy-credential-stealing-malware/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

This is the scenario continuous vendor monitoring is built to catch.

When a vendor is compromised, your SOC 2 vendor-management controls are what produce the audit trail showing you knew, assessed, and acted. The Verisq AI Trust Operations platform tracks that continuously.

Explore the Verisq AI Trust Operations platform →