How the Attack Worked
Security researchers have uncovered a supply chain attack targeting several PHP packages maintained by the Laravel-Lang organization. The affected packages include laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. Rather than modifying the source code directly, attackers rewrote existing git tags in each repository to point to new malicious commits. Over 700 package versions were published in rapid succession on May 22 and May 23, 2026, suggesting automated mass tagging or republishing.
Malicious Payload and Execution
The malicious code resides in a file called src/helpers.php, which is embedded into the version tags. This file is added to the autoload.files map in each compromised package. Because every Laravel application loads the vendor autoloader on startup, the payload executes immediately when any consumer boots the package no class instantiation or method call is required. The payload contacts an external server at flipboxstudio[.]info to fetch a cross platform credential stealer that works on Windows, Linux, and macOS.
Impact and Scope
On Windows, the dropper uses a Visual Basic Script launcher, while on Linux and macOS it executes the stealer via exec(). Researchers suspect the attacker gained access to organization level credentials or release infrastructure. Because the malicious tags affect all existing versions, any project using these packages may be at risk. Users should audit their dependencies and rotate any credentials or secrets that may have been exposed.
Source: The Hacker News
