A highly sophisticated supply chain attack has compromised the Laravel-Lang ecosystem, injecting credential-stealing remote code execution backdoors into 233 package versions across 700 GitHub repositories.
Discovered in May 2026 by Socket and Aikido, threat actors manipulated GitHub tags to distribute malware through Composer’s autoloader, granting complete remote access to developer environments.
The attackers bypassed direct repository commits by exploiting GitHub’s version tagging system to point legitimate tags toward a malicious fork.
When developers pulled the affected localization packages via Packagist, the malicious src/helpers.php executed automatically due to Composer’s autoload.files directive. This method effectively hid the malware from standard repository audits while inheriting full web application permissions.
The initial infection phase utilizes a stealthy dropper that masquerades as a standard Laravel localization function. It fingerprints the host system using specific hardware metrics and establishes a temporary marker file to prevent redundant executions.
Aikido observed that the payload disables SSL verification and fetches a secondary script from an obfuscated command-and-control server, launching it silently via OS-specific methods.
Payload Execution Methods
| Operating System | Execution Mechanism | Privilege Level |
|---|---|---|
| Linux | Background execution using exec("php ...") |
Application user |
| macOS | Background execution using exec("php ...") |
Application user |
| Windows | Generated .vbs script running via cscript |
Application user |
The fetched payload is an extensive PHP credential stealer containing 15 specialized collector modules. It systematically targets sensitive developer secrets, including cloud metadata, database credentials, and environment configuration files.
After harvesting the secrets, the malware encrypts the payload using AES-256 and exfiltrates it to the attacker’s infrastructure before deleting itself to evade forensic detection.
The malware framework systematically strips the infected machine of high-value configurations and credentials:
- Cloud access keys for AWS, GCP, Azure, and DigitalOcean.
- Infrastructure configurations including Kubernetes profiles, Docker tokens, and HashiCorp Vault secrets.
- Developer assets such as SSH private keys, Git credentials, and shell history files.
- Saved browser passwords, cryptocurrency wallets, and password manager databases.
Security researchers advise immediate rotation of all application secrets, database credentials, and API keys exposed to compromised environments.
Development teams must inspect their composer.lock files to block affected Laravel-Lang packages and audit outbound network traffic for suspicious connections.
Systems running compromised packages should be entirely rebuilt from known-good images to ensure total eradication of the persistent threat.
Indicators of Compromise
| Type | Indicator |
|---|---|
| Domain (C2) | flipboxstudio[.]info |
| URL (Payload Fetch) | https://flipboxstudio[.]info/payload |
| URL (Exfiltration) | https://flipboxstudio[.]info/exfil |
| File Path (Malicious) | src/helpers.php |
| File Path (Infection Marker) | |
| File Path (Dropped Stealer) | |
| File Path (Windows Launcher) | |
| Artifact (Windows) | DebugChromium.exe |
| IP Address | 169.254.169.254 |
[.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.