Cybersecurity researchers have warned of a new software supply chain attack campaign targeting multiple PHP packages belonging to Laravel-Lang to provide a comprehensive credential theft framework.
Affected packages include:
laravel-lang/lang laravel-lang/http-statuses laravel-lang/attributes laravel-lang/actions
“The timing and pattern of the newly published tags indicate a broader compromise of the Laravel Lang organization’s release process, rather than a single malicious package version,” Socket said. “The tags were published in quick succession on May 22 and May 23, 2026, with many versions published just seconds apart.”
Over 700 versions associated with these packages have been identified, indicating a large amount of automated tagging or republishing. It is suspected that the attackers may have gained access to organization-level credentials, repository automation, or release infrastructure.
The core malicious functionality is located in a file named “src/helpers.php” embedded in the version tag. It is primarily designed to fingerprint infected hosts and connect to an external server (‘flipboxstudio’).[.]info”) to get a PHP-based cross-platform payload that runs on Windows, Linux, and macOS.
According to Aikido Security, this dropper provides a Visual Basic Script launcher on Windows and runs via cscript. On Linux and macOS, execute stealer payloads via exec().
“Because this file [‘src/helpers.php’] Once registered in composer.json under autoload.files, the backdoor will automatically run on every PHP request processed by a compromised application,” Socket explained.
“This script generates a unique marker for each host (an MD5 hash combining directory path, system architecture, and inode) to ensure that the payload is only triggered once per machine. This prevents redundant execution and allows the malware to remain undetected after the first execution.”
This stealer has the ability to collect a wide range of data from a compromised system and exfiltrate it to the same server. This includes –
IAM Roles and Instance IDs by Querying Cloud Metadata Endpoints Documentation Default Credentials for Google Cloud Applications Microsoft Azure Access Tokens and Service Principal Profiles Kubernetes Service Account Tokens and Helm Registry Configuration Authentication Tokens for DigitalOcean, Heraku, Vercel, Netlify, Railway, Fly.io HashiCorp Vault Tokens Jenkins, GitLab Runners, GitHub Tokens and configuration actions from CircleCI, TravisCI, ArgoCD Seed phrases and files associated with cryptocurrency wallets (Electrum, Exodus, Atomic, Ledger Live, Trezor, Wasabi, Sparrow) and extensions (MetaMask, Phantom, Trust Wallet, Ronin, Keplr, Solflare, Rabby) Google Chrome, Microsoft Edge, Mozilla Firefox, Brave, Opera Browser history, cookies, and login data Use of built-in Base64-encoded Windows executables that bypass Chromium’s App-Binding Encryption (ABE) protection Local vault and browser extension data for 1Password, Bitwarden, LastPass, KeePass, Dashlane, and NordPass PuTTY/WinSCP saved sessions Dump Windows Credential Manager’s WinSCP saved sessions RDP files Session tokens associated with applications such as Discord, Slack, and Telegram Data from Microsoft Outlook, Thunderbird, and popular FTP clients (FileZilla, WinSCP, and CoreFTP) Configuration and credential files including Docker authentication tokens, SSH private keys, Git credentials, shell history files, database history files, Kubernetes cluster configuration, .env files, wp-config.php, and docker-compose.yml PHP Environment variables loaded into the process Source control credentials from global and local .gitconfig files, .git-credentials, and .netrc files VPN configuration and saved login files for OpenVPN, WireGuard, NetworkManager, and commercial VPNs such as NordVPN, ExpressVPN, CyberGhost, and Mullvad
“The fetched payload is approximately 5,900 lines of PHP credential stealer organized into 15 specialized collector modules,” said Aikido researcher Ilyas Makari. “After we collect everything we find, we encrypt the results with AES-256 and send them to flipboxstudio.[.]info/exfil. It then deletes itself from disk to limit forensic evidence. ”
Source link
