Supply Chain Attack Compromises Laravel‑Lang PHP Packages, Deploys Cross‑Platform Credential Stealer
What Happened — Researchers discovered that four popular Laravel‑Lang PHP packages were hijacked on Packagist, inserting malicious code that harvests credentials from any application that installs the tainted versions. The malicious payload runs on Windows, macOS and Linux, exfiltrating usernames, passwords and API keys to attacker‑controlled servers.
Why It Matters for TPRM —
- Third‑party code libraries are a common vector for credential theft, exposing downstream customers to data loss.
- Compromise of a widely‑used open‑source component can affect thousands of SaaS and on‑premise applications across multiple sectors.
- Detecting malicious package updates is difficult without dedicated supply‑chain monitoring, increasing blind‑spot risk for vendors.
Who Is Affected — Web‑application developers, SaaS providers, and any organization that integrates Laravel‑Lang packages (e.g., finance, healthcare, e‑commerce, tech).
Recommended Actions —
- Immediately audit all environments for installed versions of the four compromised packages.
- Revert to known‑good releases and regenerate any credentials that may have been exposed.
- Implement automated SBOM checks and package‑integrity verification (e.g., sigstore, provenance).
- Review vendor risk policies to require supply‑chain security controls for open‑source dependencies.
Technical Notes — The attack leveraged a compromised Packagist account to publish malicious tags. The injected code uses native PHP functions to locate credential files, browser‑saved passwords, and environment variables, then sends them via HTTPS to a C2 domain. No CVE has been assigned yet; the vulnerability is a supply‑chain mis‑configuration. Source: The Hacker News