Laravel Lang Supply Chain Attack Deploys Credential-Stealing Malware

A sophisticated supply chain attack has compromised the Laravel Lang localization packages, affecting four repositories and potentially hundreds of historical versions. Security researchers at StepSecurity, Aikido Security, and Socket identified the campaign on May 23, 2026, discovering that attackers rewrote GitHub version tags across laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions repositories. The attack impacted approximately 233 versions across three repositories, with roughly 700 historical versions potentially affected. This technique allowed malicious code to appear as legitimate releases without modifying the project's actual source code. The Laravel Lang packages are third-party localization tools and are not part of the official Laravel framework, though they are widely used by Laravel developers worldwide.

The attackers exploited a GitHub feature that allows tags to point to commits in repository forks. Rather than publishing new malicious versions, they rewrote existing git tags to redirect to malicious commits stored in an attacker-controlled fork. According to StepSecurity's analysis, the rewrites began at 22:32 UTC targeting laravel-lang/lang (the flagship package with 502 tags) and completed by 00:00 UTC against laravel-lang/actions. All four repositories shared the same fake author identity, identical modified files, and consistent payload behavior, indicating one threat actor with organization-wide push access through compromised credentials. Developers who installed these packages via Composer unknowingly downloaded malicious code that appeared to be legitimate Laravel Lang releases.

The malicious releases introduced a file named 'src/helpers.php' that was automatically loaded by Composer's autoload mechanism. This dropper connected to a command and control server at flipboxstudio[.]info to download a second-stage payload—a cross-platform credential stealer targeting Linux, macOS, and Windows systems. The malware harvests an extensive range of sensitive data including cloud credentials, Kubernetes secrets, Vault tokens, Git credentials, CI/CD secrets, SSH keys, browser data, cryptocurrency wallets, password managers, VPN configurations, and local .env configuration files. It also includes regex patterns specifically designed to extract AWS keys, GitHub tokens, and Slack tokens. Developers should immediately audit their systems for signs of compromise and rotate all potentially exposed credentials using tools like our password checker to ensure no weak or compromised credentials remain active.