Laravel-Lang compromise shows the risk inside release tags

A reported compromise of Laravel-Lang PHP packages used rewritten git tags and Composer autoload behavior to run a cross-platform credential stealer.

2026-05-25 GIGATAP Team #security
#supply-chain-security#php#composer

What is known#

Multiple PHP packages under the Laravel-Lang organization were reportedly compromised in a software supply chain attack that delivered a cross-platform credential stealer to downstream users.

The reporting cites research from Socket, StepSecurity, and Aikido Security. The affected Laravel-Lang packages include laravel-lang/http-statuses, with The Hacker News describing the campaign as targeting multiple packages belonging to Laravel-Lang.

The notable detail is not only that malicious code appeared in package releases. It is how it appeared.

According to Socket, the project source code itself was not modified in the usual way. Instead, the attacker allegedly rewrote existing git tags in each repository so they pointed to a new malicious commit. Those rewritten tags embedded a malicious src/helpers.php file into released versions.

Socket said more than 700 versions associated with the affected packages were identified. The tags were published in rapid succession on May 22 and May 23, 2026, with many versions appearing only seconds apart. Socket interpreted that timing and pattern as evidence of a broader compromise of the Laravel-Lang organization’s release process, rather than one isolated malicious package version.

That remains an assessment, not a proven public attribution. The suspected access path includes organization-level credentials, repository automation, or release infrastructure. The source material does not confirm which one was used.

Why the autoload detail matters#

The malicious file was reportedly added to the Composer autoload.files map.

That is the core risk.

In PHP applications using Composer, files listed under autoload.files are loaded automatically when the application includes Composer’s autoloader. In Laravel, that usually happens at startup through vendor/autoload.php. Other PHP frameworks and tools also rely on the same mechanism.

StepSecurity summarized the impact plainly: because Laravel applications load Composer’s autoloader on startup, and because Symfony, PHPUnit, and many other PHP projects do the same, the payload can run without a developer calling a class, invoking a method, or triggering a special route.

That makes this more dangerous than a malicious function hidden in a rarely used API. A compromised dependency with an autoloaded file can execute as part of normal boot.

Socket said the backdoor generates a unique per-host marker using an MD5 hash that combines the directory path, system architecture, and inode. The stated purpose is to trigger only once per machine. That reduces noisy repeated execution and may make detection harder after the first run.

The dropper then contacts flipboxstudio[.]info to retrieve a PHP-based payload. Aikido Security described it as a roughly 5,900-line credential stealer organized into fifteen collector modules. After collection, the data is reportedly encrypted with AES-256 and sent to flipboxstudio[.]info/exfil, after which the payload deletes itself from disk to reduce forensic evidence.

On Windows, Aikido said the dropper delivers a Visual Basic Script launcher and runs it through cscript. On Linux and macOS, it runs the stealer through exec().

The result is a PHP supply-chain incident that crosses operating systems and runtime boundaries. The malicious package is installed through a PHP dependency path, but the target data includes developer workstations, CI runners, cloud environments, and application hosts.

What the stealer reportedly targets#

The reported collection scope is broad. It is aimed less at one application secret and more at the working environment around modern software delivery.

The source material lists attempts to collect, among other data:

  • Cloud metadata, including IAM roles and instance identity documents.
  • Google Cloud application default credentials.
  • Microsoft Azure access tokens and service principal profiles.
  • Kubernetes service account tokens and Helm registry configuration.
  • Tokens for platforms such as DigitalOcean, Heroku, Vercel, Netlify, Railway, and Fly.io.
  • CI/CD and deployment credentials from Jenkins, GitLab Runners, GitHub Actions, CircleCI, TravisCI, and ArgoCD.
  • Docker auth tokens, SSH private keys, Git credentials, .env files, shell history, database history, Kubernetes config, wp-config.php, and docker-compose.yml.
  • Source control credentials from .gitconfig, .git-credentials, and .netrc files.
  • Browser data, cookies, login data, and browser extension data.
  • Password manager vault or extension data for products including 1Password, Bitwarden, LastPass, KeePass, Dashlane, and NordPass.
  • Crypto wallet files and seed phrase material linked to wallets and extensions including Electrum, Exodus, Atomic, Ledger Live, Trezor, Wasabi, Sparrow, MetaMask, Phantom, Trust Wallet, Ronin, Keplr, Solflare, and Rabby.
  • PuTTY and WinSCP saved sessions, Windows Credential Manager data, FTP client credentials, and session tokens for apps such as Discord, Slack, and Telegram.
  • VPN configuration and saved login files for OpenVPN, WireGuard, NetworkManager, and commercial VPNs listed in the reporting.

That breadth matters. If the reporting is accurate, this is not just a web-app compromise. It is a pivot attempt into cloud accounts, CI/CD systems, source control, wallets, password stores, and developer endpoints.

A single infected build host or developer machine can hold credentials that outlive the malicious package install.

What not to overclaim#

The public reporting does not prove how the attacker gained access.

The rapid tag publishing pattern points toward automation or release-process compromise, but it does not by itself identify the initial access vector. It could involve organization credentials. It could involve compromised automation. It could involve release infrastructure. The source material does not settle that question.

The reporting also does not establish how many downstream applications installed the compromised versions, how many systems executed the payload, or how much data was successfully exfiltrated.

Those distinctions matter. A malicious package version is exposure. Execution depends on whether the package was installed or updated in a vulnerable window and whether the malicious autoload file ran in a real environment. Exfiltration depends on network reachability, host contents, permissions, and detection or blocking controls.

Teams should treat this as serious without inventing certainty that is not in the evidence.

What teams should check now#

Start with Composer dependency state.

Review composer.lock, build logs, artifact metadata, dependency cache entries, and package manager logs for Laravel-Lang packages installed or updated around May 22–23, 2026. Do not only check current source branches. If tags were rewritten, local caches, CI caches, and built containers may preserve the compromised artifact even after upstream remediation.

Then inspect installed vendor trees where relevant. Look for unexpected src/helpers.php files in Laravel-Lang packages and check whether package composer.json files include that file under autoload.files.

Network telemetry is also useful. Search DNS, proxy, EDR, and firewall logs for contact with:

  • flipboxstudio[.]info
  • flipboxstudio[.]info/exfil

Treat any confirmed execution as a credential incident, not only a malware cleanup task.

That means rotating exposed secrets. Prioritize cloud access keys, CI/CD tokens, Git credentials, deployment tokens, SSH keys, Kubernetes tokens, registry credentials, .env secrets, and any credentials present on affected developer machines or build hosts.

For CI systems, invalidate runner tokens where possible and review recent pipeline behavior. For cloud accounts, check metadata-derived identity use, unusual API calls, new service principals, suspicious access keys, and unexpected resource changes. For source control, review deploy keys, personal access tokens, GitHub Actions secrets, GitLab variables, and recent tag or release activity.

Finally, preserve evidence before wiping systems. The payload reportedly deletes itself after exfiltration, so disk artifacts may be limited. Composer caches, container layers, CI workspaces, package lockfiles, proxy logs, and endpoint telemetry may become the most useful sources.

Practical takeaway#

This incident shows why release metadata is part of the trust boundary.

Developers often review source code and assume tags are stable pointers to that code. In this case, the reported attack path abused tags and Composer autoload behavior. The visible project source was not the only thing that mattered. The release object consumed by package managers mattered more.

For PHP teams, the immediate lesson is simple: dependency compromise can execute at application boot. For platform teams, the broader lesson is sharper: credentials on developer machines and CI runners are production assets. If a dependency can read them, the dependency chain is part of the production attack surface.