laravel-lang Packagist packages re-tagged from a compromised org credential

Late on May 22, 2026, an attacker with push access to the Laravel-Lang GitHub organization rewrote every version tag on four widely used Laravel translation packages, planting a credential stealer that ran on the next composer update for downstream applications.

Laravel-Lang publishes Laravel translation packages on Packagist, the central Composer package index. Four repositories under the organization back four Composer packages: lang, attributes, actions, and http-statuses. Between 22:32 UTC on May 22 and midnight UTC on May 23, researchers at StepSecurity said the attacker rewrote every tag across all four — 502 on the lang repository alone, with smaller numbers in proportion to the others. Each malicious commit was authored as Your Name <you@example.com> and changed two files: composer.json and a new src/helpers.php. Identical diffs and the same fake author string across all four repositories pointed StepSecurity to a single compromised organization-wide push credential. An earlier Aikido report had described the delivery as a fork-tag pattern; StepSecurity's git evidence ruled that out.

The composer.json change appended src/helpers.php to the autoload.files array. Composer includes every file on that list whenever an application loads vendor/autoload.php, which is the standard Laravel boot path, so no individual call site needed to import the helper. Any composer update, or any composer install without a pre-attack lockfile, would resolve each version constraint to the new tag SHA and execute the helper on the next request — and, because the entry sits in the autoload list, on every subsequent PHP request the application served. Pre-attack lockfiles were safe until they were refreshed.

The dropper assembled its C2 hostname at runtime from character codes to avoid plain-text strings, fetched a second stage from flipboxstudio.info — a typosquat of the legitimate flipboxstudio.com — over a TLS connection with certificate verification disabled and a spoofed Mozilla User-Agent, wrote it under sys_get_temp_dir()/.laravel_locale/, executed it in a detached process, and unlinked itself from disk. A per-host MD5 marker kept the stealer from running twice on the same machine. On Unix the helper invoked the staged PHP via exec("php ..."); on Windows it dropped a .vbs file and ran it through cscript. StepSecurity also observed a Linux variant in which stage two dropped an ELF at /tmp/.<8 hex>, executed it, and removed the path so the process kept running from a deleted inode with parent PID 1.

Socket's reverse engineering of stage two describes a credential-harvesting framework with seventeen collectors. It scraped cloud-instance metadata from AWS IMDS at 169.254.169.254 along with Azure, Google Cloud, DigitalOcean, Heroku, Netlify, and Vercel endpoints; read Kubernetes service-account tokens from /var/run/secrets/ and HashiCorp Vault tokens from the environment; pulled secrets from Jenkins, GitLab Runner, GitHub Actions, CircleCI, TravisCI, and ArgoCD working directories; harvested SSH keys, Git credentials, Docker tokens, VPN configs, and per-process environments from /proc/<pid>/environ; and walked profile directories for Chrome, Edge, Firefox, Brave, and Opera along with the local stores for 1Password, Bitwarden, LastPass, KeePass, Dashlane, and NordPass and a catalog of cryptocurrency wallets and browser extensions. On Windows the payload shipped an embedded DebugChromium.exe that abused Chrome's own debugging interface to extract the v127+ app-bound encryption key and decrypt cookies and saved passwords that Chrome's newer protections would otherwise have kept out of reach. Exfiltration POSTed the collected material to https://flipboxstudio.info/exfil. The XOR key k9X2mP7vL4nQ8wR1 recurs across the obfuscated strings and is itself a useful hunt artifact.

Packagist removed the malicious versions and temporarily delisted the four packages. StepSecurity advised downstream operators to halt composer update until lockfiles were verified against pre-attack SHAs, scan affected hosts for /tmp/.laravel_locale/ artifacts and orphaned PHP or ELF processes, and rotate any CI tokens, cloud credentials, GitHub personal access tokens, and deploy keys reachable from a runner that executed during the window.

The tag-rewrite delivery looks superficially similar to the actions-cool incident four days earlier (see [[actions-cool]]), but the two are distinct. In the actions-cool case, TeamPCP routed tags on official refs to commits inside an attacker-owned fork without ever pushing to the official repository. The Laravel-Lang attacker, by contrast, held push access and rewrote tags directly. The flipboxstudio.info infrastructure does not appear in the Mini Shai-Hulud campaign.

Motive

Credential Theft

Attribution

Group

Cause

Compromised Account Credentials

Transitive

Yes

• Locationmirror: github.com/Laravel-Lang
• filesrc/helpers.php
• file/tmp/.laravel_locale/<md5>
• file/tmp/.laravel_locale/<12 hex>.php
• file/tmp/.laravel_locale/<8 hex>.vbs
• file/tmp/.<8 hex>
• domainflipboxstudio.info
• urlhttps://flipboxstudio.info/payload
• urlhttps://flipboxstudio.info/exfil
• accountYour Name <you@example.com>
• fileDebugChromium.exe
• stringk9X2mP7vL4nQ8wR1
• techniquecomposer autoload.files injection
• techniqueorphaned php and ELF processes with parent PID 1
• techniqueAWS IMDS scrape from 169.254.169.254
• techniqueChrome v127+ app-bound key extraction via DebugChromium.exe

• StepSecurity counted 502 rewritten tags on laravel-lang/lang, 86 on laravel-lang/attributes, 46 on laravel-lang/actions, and every tag from v1.0.0 through v3.4.5 on laravel-lang/http-statuses. An earlier Aikido report on 2026-05-22 cited 233 tags across three packages and missed laravel-lang/actions.
• The attacker held org-wide push access and rewrote tags directly on the official repositories. An earlier Aikido analysis described a fork-tag mechanism; StepSecurity's git evidence ("Your Name <you@example.com>" commits on the official refs, identical across all four repos) contradicts that and indicates direct push.
• Compromise window was 2026-05-22 22:32 UTC to 2026-05-23 00:00 UTC, with the first rewrite landing on laravel-lang/lang and the campaign extending across the four repositories within roughly 90 minutes.
• The dropper writes a per-host marker so the stealer runs once per machine. The second-stage PHP drops and runs an ELF at /tmp/.<8 hex> and removes it from the directory tree; the live ELF carries parent PID 1 and a deleted executable path.
• flipboxstudio.info is a typosquat of the legitimate flipboxstudio.com.
• Socket counted roughly 700 rewritten tags across the four repositories and documented seventeen credential collectors in stage two covering cloud metadata services, Kubernetes service-account tokens, HashiCorp Vault, CI/CD working directories (Jenkins, GitLab Runner, GitHub Actions, CircleCI, TravisCI, ArgoCD), browsers, password managers (1Password, Bitwarden, LastPass, KeePass, Dashlane, NordPass), SSH keys, Git and Docker credentials, VPN configs, and cryptocurrency wallets.
• On Windows, stage two ships an embedded DebugChromium.exe that uses Chrome's debugging interface to extract the v127+ app-bound encryption key, defeating Chrome's newer cookie- and password-store protections.
• C2 hostname is built at runtime from character codes; TLS certificate verification is disabled on the fetch and a Mozilla User-Agent is spoofed. The string "k9X2mP7vL4nQ8wR1" recurs as an XOR key in the obfuscated payload.

• Laravel-Lang Supply Chain Attack - StepSecuritystepsecurity.io
• Laravel-Lang/lang issue #8295 - Compromised version tagsgithub.com
• Supply Chain Attack Targets Laravel-Lang Packages With Credential Stealer - Aikidoaikido.dev
• Laravel Lang Supply Chain Compromise - Socketsocket.dev
• Laravel-Lang/common issue #257 - Compromised version tagsgithub.com