Laravel Lang packages hijacked to deploy credential-stealing malware

LARAVEL LANG PACKAGES HIJACKED TO DEPLOY CREDENTIAL-STEALING MALWARE

IntroductionA sophisticated supply chain compromise targeted the Laravel Lang localization packages. Attackers hijacked GitHub version tags to distribute malicious code through Composer packages, allowing the theft of credentials and sensitive data without modifying the original project’s source code. Security researchers documented a coordinated campaign that manipulated existing release tags to point to malicious commits in attacker-controlled forks, enabling the deployment of a multi-stage credential-stealing payload when developers installed the packages.

Scope and Affected Packages

• Affected Laravel Lang repositories:
• laravel-lang/lang
• laravel-lang/http-statuses
• laravel-lang/attributes
• possibly laravel-lang/actions
• The Laravel Lang packages are third-party localization aids and not part of the official Laravel project.
• The extent of impact:
• Compromise reported across 233 versions in three repositories (per one security firm’s assessment).Roughly seven hundred historical versions were implicated according to another security firm.
• The attack did not alter the original project’s source files directly. Instead, it rewrote GitHub tags to point to malicious commits within forks, making the releases appear legitimate while delivering malicious payloads.

How the Attack Worked

• Tag-level compromise:
• Attackers rewrote every existing Git tag in the four repositories to reference new, malicious commits.
• The rewrites began at 22:32 UTC on laravel-lang/lang (the flagship translation package, which had about 502 tags) and concluded around 00:00 UTC on laravel-lang/actions.
• All four repositories reportedly shared the same fake author identity, identical modified files, and a uniform payload behavior, indicating a single actor with organization-wide push access using compromised credentials.
• Delivery mechanism:
• Rather than introducing a brand-new malicious release, the attackers exploited GitHub’s tagging mechanism to associate legitimate-looking tags with malicious content stored in an attacker-controlled fork.
• When developers requested a package release via Composer, the installer fetched the compromised commit that carried the malicious payload, masquerading as a legitimate Laravel Lang release.

The Malicious Dropper and the Payload

• Initial dropper:
• The malicious releases introduced a file named src/helpers.php, automatically loaded by Composer.
• This file was added to the autoload section of composer.json and served as the dropper that downloaded a second-stage payload from the attacker’s command-and-control domain flipboxstudio[.]info.
• Secondary payload:
• The downloaded PHP payload functioned as a cross-platform credential stealer compatible with Linux, macOS, and Windows.
• It harvested cloud credentials, Kubernetes secrets, Vault tokens, Git credentials, CI/CD secrets, SSH keys, browser data, cryptocurrency wallets, password managers, VPN configurations, and local .env files.
• The malware employed regular expression patterns designed to extract AWS keys, GitHub tokens, Slack tokens, Stripe secrets, database credentials, JWTs, SSH private keys, and cryptocurrency recovery phrases from files and environment variables.
• Windows-specific behavior:
• The PHP payload on Windows decoupled a base64-encoded executable embedded within the file, which was written to the TEMP folder with a random .exe filename and launched.
• The infostealer on Windows has been identified as a module named DebugElevator, aimed at extracting App-Bound Encryption keys to decrypt stored browser credentials (specifically targeting Chrome, Brave, and Edge).
• An embedded PDB path references a Windows account name “Mero” and includes “claude,” suggesting possible AI-assisted development guidance in crafting the malware.
• Data exfiltration:
• After collecting sensitive information, the malware encrypted and exfiltrated it back to the attacker’s command-and-control server.

Indicators of Compromise and Artifacts

• The attack centered on a widespread, tag-based deployment mechanism. Indicators include:
• Rewritten tags in four Laravel Lang repositories to point to malicious commits.
• A consistent set of modified files across the four repositories.
• A shared, attacker-controlled payload hosted on the same C2 infrastructure.
• The presence of a helper script (src/helpers.php) loaded via Composer’s autoload configuration.
• A second-stage payload capable of harvesting a broad array of credentials and secrets, including cloud access keys, Git credentials, and VPN configurations.
• Windows-specific artifacts, including the DebugElevator executable and a base64-embedded binary with a PDB path referencing specific user and AI-related terms.

Response and Observed Actions

• Incident handling:
• Security researchers documented the attack and provided detailed analyses of the tag rewrites, the autoloaded dropper, and the cross-platform payload.
• The affected package maintainers and distribution channels were alerted to the compromise.-Platform response:
• The entity maintaining the package registry responded by removing the malicious versions and temporarily unlisting the compromised packages to prevent further installations.
• Post-incident considerations:
• Developers using the Laravel Lang packages were advised to review installed versions, rotate any exposed credentials, inspect systems for indicators of compromise, and, where possible, check for historical outbound connections to the attacker’s C2 domain.

Impact and Takeaways

• The attack demonstrated a novel abuse of GitHub version tags as a deployment vector, where legitimate-looking releases were driven by compromised credentials rather than altered source code in the main repository.
• The one-actor, org-wide access abuse pointed to a broad target set within a relatively obscure but widely used ecosystem of localization packages, illustrating how supply chain risks extend beyond well-known software supply chains.
• The dual-stage approach—an initial dropper that fetches a more powerful credential stealer—enabled a wide exfiltration surface across multiple platforms, emphasizing the need for defense-in-depth around dependency management and automated build processes.
• The inclusion of AI-like naming patterns in the Windows malware suggests potential tools or methodologies borrowed from AI-assisted development practices, underscoring evolving threat capabilities in modern infostealer campaigns.

Context and Related Coverage

• The incident drew attention from multiple security researchers and firms that documented the compromise, including analyses of the tag rewrites, the dropper, and the multi-platform payload.
• The event highlighted a notable validation gap: automated pentesting and supply chain validation tools need to account for how attackers may manipulate version tagging and release metadata, not just code changes, to ensure effective defense measures.

Closing Reflections

• The Laravel Lang compromise exemplifies how attackers can leverage trusted distribution channels to deliver high-impact payloads. By exploiting tag-based release mechanisms and distributing a credible-looking update, they achieved broad reach with relatively subtle changes to the ecosystem. The incident reinforces the importance of monitoring not only code changes but also release metadata, and it demonstrates the ongoing need for robust credential management, supply chain validation, and rapid incident response within developer tooling ecosystems.