A sophisticated supply chain attack has compromised the widely-used Laravel-Lang PHP localization ecosystem, injecting credential-stealing backdoors into 233 package versions across 700 GitHub repositories. Discovered in May 2026 by researchers at Socket and Aikido, the campaign exploited GitHub’s version tagging system to silently distribute malware through Laravel’s Composer package manager — without touching a single line of source code in the official repositories.
How the Attack Worked
Rather than committing malicious code directly to the Laravel-Lang repositories — where it would be visible in git history and code review — the attackers took a more subtle approach. They exploited GitHub’s version tagging system to redirect legitimate release tags toward a malicious fork. When developers ran composer install or composer update, Composer resolved the tampered tags and downloaded the malicious version instead of the genuine package.
The malicious payload was injected into src/helpers.php, a file that executes automatically on every page load via Laravel’s autoload.files Composer directive. This meant that any application using an affected Laravel-Lang package would silently execute the malware on startup — with full web application permissions — without any visible indication of compromise.
Multi-Stage Payload: Dropper and Credential Stealer
The initial infection stage uses a stealthy dropper that masquerades as a standard localization helper function. It fingerprints the host system, creates a temporary marker file to prevent redundant executions, disables SSL verification, and silently fetches a secondary script from an obfuscated command-and-control server at flipboxstudio[.]info.
The second-stage payload is an extensive PHP credential stealer containing 15 specialized collector modules. It targets a comprehensive range of developer secrets:
- Cloud access keys for AWS, GCP, Azure, and DigitalOcean
- Kubernetes profiles, Docker authentication tokens, and HashiCorp Vault secrets
- SSH private keys, Git credentials, and shell history files
- Saved browser passwords, cryptocurrency wallets, and password manager databases
- Infrastructure configuration files and CI/CD pipeline secrets
After harvesting, all stolen data is encrypted with AES-256 and exfiltrated to the attacker’s infrastructure. The stealer then deletes itself to hinder forensic detection. Execution methods vary by OS: Linux and macOS use background exec("php ...") calls, while Windows generates a .vbs launcher script executed via cscript.
Scale and Impact
The attack affected 233 versions of Laravel-Lang packages distributed through Packagist, the primary PHP package repository. With Laravel being one of the most popular PHP frameworks globally — powering millions of web applications — the potential victim pool is enormous. Developers who pulled any of the affected localization packages during the compromise window may have exposed their entire cloud infrastructure, CI/CD credentials, and application secrets.
Indicators of Compromise
- C2 Domain: flipboxstudio[.]info
- Payload URL: https://flipboxstudio[.]info/payload
- Exfiltration URL: https://flipboxstudio[.]info/exfil
- Malicious file: src/helpers.php
- Infection marker: <tmp>/.laravel_locale/<md5_hash>
- Windows artifact: DebugChromium.exe
Recommended Response Actions
Organizations using Laravel-Lang packages should treat this as a potential full-environment compromise and take the following steps immediately:
- Audit composer.lock files to identify whether any affected Laravel-Lang package versions were installed.
- Rotate all secrets accessible to affected applications — database credentials, API keys, cloud access tokens, and SSH keys.
- Audit outbound network traffic for connections to flipboxstudio[.]info or other suspicious domains.
- Rebuild affected systems from known-good images to ensure complete eradication — do not attempt to clean in place.
- Review cloud access logs for anomalous API calls or resource creation using any credentials that may have been exposed.
This attack is a stark reminder that the open-source dependency ecosystem remains a high-value target. Developers should consider implementing automated supply chain scanning tools and verifying package integrity through multiple channels beyond simple version tags.