Laravel Lang packages hijacked to deploy credential-stealing malware
A supply chain attack targeted the Laravel Lang localization packages by abusing GitHub version tags to distribute credential-stealing malware via Composer packages. Attackers rewrote existing Git tags to point to malicious commits in attacker-controlled forks, causing developers to unknowingly install malware. The malicious payload included a PHP dropper that fetched a cross-platform credential stealer targeting cloud credentials, secrets, SSH keys, browser data, cryptocurrency wallets, and other sensitive information. On Windows, the malware also deployed an executable named DebugElevator to extract browser encryption keys. The compromised packages were removed and temporarily unlisted by Packagist after the incident was reported. Developers are advised to review installed package versions, rotate exposed credentials, and inspect for compromise indicators.
AI Analysis
Technical Summary
Attackers compromised four Laravel Lang repositories by rewriting existing GitHub tags to point to malicious commits in forks, distributing malware through Composer packages without modifying the original source code. The malicious releases introduced a PHP helper file loaded automatically by Composer, which downloaded a second payload from a command and control server. This payload is a credential stealer targeting multiple platforms and harvesting a wide range of sensitive credentials and secrets, including cloud and developer environment data. On Windows, an embedded executable extracts browser encryption keys. The attack leveraged GitHub's tag rewriting feature to masquerade malicious commits as legitimate releases. Packagist responded by removing malicious versions and unlisting affected packages.
Potential Impact
Developers installing affected Laravel Lang packages risked infection by a sophisticated credential-stealing malware capable of harvesting cloud credentials, Kubernetes secrets, Vault tokens, Git credentials, CI/CD secrets, SSH keys, browser data, cryptocurrency wallets, password managers, VPN configurations, and local environment files. The malware exfiltrates encrypted stolen data to an attacker-controlled server. This compromises developer environments and potentially any connected infrastructure or services relying on exposed credentials. The attack did not alter project source code but abused GitHub tag functionality, increasing the difficulty of detection.
Mitigation Recommendations
Packagist has removed the malicious package versions and temporarily unlisted the affected Laravel Lang packages to prevent further installations. Developers should review their installed Laravel Lang package versions for signs of compromise, rotate any potentially exposed credentials, and inspect systems for indicators of compromise. Additionally, checking for historical outbound connections to the attacker's command and control server (flipboxstudio[.]info) is recommended. No official patch is applicable since the attack exploited repository tag manipulation rather than a software vulnerability.
Laravel Lang packages hijacked to deploy credential-stealing malware
Description
A supply chain attack targeted the Laravel Lang localization packages by abusing GitHub version tags to distribute credential-stealing malware via Composer packages. Attackers rewrote existing Git tags to point to malicious commits in attacker-controlled forks, causing developers to unknowingly install malware. The malicious payload included a PHP dropper that fetched a cross-platform credential stealer targeting cloud credentials, secrets, SSH keys, browser data, cryptocurrency wallets, and other sensitive information. On Windows, the malware also deployed an executable named DebugElevator to extract browser encryption keys. The compromised packages were removed and temporarily unlisted by Packagist after the incident was reported. Developers are advised to review installed package versions, rotate exposed credentials, and inspect for compromise indicators.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Attackers compromised four Laravel Lang repositories by rewriting existing GitHub tags to point to malicious commits in forks, distributing malware through Composer packages without modifying the original source code. The malicious releases introduced a PHP helper file loaded automatically by Composer, which downloaded a second payload from a command and control server. This payload is a credential stealer targeting multiple platforms and harvesting a wide range of sensitive credentials and secrets, including cloud and developer environment data. On Windows, an embedded executable extracts browser encryption keys. The attack leveraged GitHub's tag rewriting feature to masquerade malicious commits as legitimate releases. Packagist responded by removing malicious versions and unlisting affected packages.
Potential Impact
Developers installing affected Laravel Lang packages risked infection by a sophisticated credential-stealing malware capable of harvesting cloud credentials, Kubernetes secrets, Vault tokens, Git credentials, CI/CD secrets, SSH keys, browser data, cryptocurrency wallets, password managers, VPN configurations, and local environment files. The malware exfiltrates encrypted stolen data to an attacker-controlled server. This compromises developer environments and potentially any connected infrastructure or services relying on exposed credentials. The attack did not alter project source code but abused GitHub tag functionality, increasing the difficulty of detection.
Mitigation Recommendations
Packagist has removed the malicious package versions and temporarily unlisted the affected Laravel Lang packages to prevent further installations. Developers should review their installed Laravel Lang package versions for signs of compromise, rotate any potentially exposed credentials, and inspect systems for indicators of compromise. Additionally, checking for historical outbound connections to the attacker's command and control server (flipboxstudio[.]info) is recommended. No official patch is applicable since the attack exploited repository tag manipulation rather than a software vulnerability.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/laravel-lang-packages-hijacked-to-deploy-credential-stealing-malware/","fetched":true,"fetchedAt":"2026-05-26T19:28:03.460Z","wordCount":933}
Threat ID: 6a15f4466b9ae66727ef141b
Added to database: 5/26/2026, 7:28:06 PM
Last enriched: 5/26/2026, 7:29:30 PM
Last updated: 5/26/2026, 9:13:42 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.