Laravel Lang packages hijacked to deploy credential-stealing malware

A supply chain attack targeting the Laravel Lang localization packages has exposed developers to a sophisticated credential-stealing malware campaign after attackers abused GitHub version tags to distribute malicious code through Composer packages.

Security firms StepSecurity, Aikido Security, and Socket warned about the compromise on Friday, warning that attackers had rewritten GitHub tags across four repositories maintained by the Laravel Lang organization rather than publishing entirely new malicious versions.

The affected packages include laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and possibly laravel-lang/actions. The Laravel Lang packages are third-party localization packages and are not part of the official Laravel project.

According to Aikido, the attackers compromised 233 versions across three repositories, while Socket said roughly 700 historical versions may have been impacted. 

What made the attack stand out is that the actual project's source code was not modified to include malicious code, but instead the attackers abused a GitHub feature that allows tags to point to commits in forks of the same repository.

"Rather than publishing a new malicious version, the attacker rewrote every existing git tag in each repository to point at a new malicious commit," explained StepSecurity.

"The rewrites started at 22:32 UTC against laravel-lang/lang (the flagship Laravel translations package, with 502 tags) and finished by 00:00 UTC against laravel-lang/actions. All four repositories share the same fake author identity, the same modified files, and the same payload behavior, which makes them almost certainly the work of one actor using one compromised credential with org wide push access."

This allowed the attackers to publish what appeared to be legitimate release tags for the project, which actually led to malicious commits stored in an attacker-controlled fork of the repository.

When developers installed the package via Composer, it would download the malicious code while it appeared to install legitimate Laravel Lang releases.

Executes a credential-stealer

The researchers found that the malicious releases introduced a malicious file named 'src/helpers.php', which was automatically loaded by Composer.

The injected code acted as a dropper that downloaded a second payload from the attacker's command and control server at flipboxstudio[.]info.

The downloaded PHP payload [VirusTotal] was a large cross-platform credential stealer for Linux, macOS, and Windows that harvests cloud credentials, Kubernetes secrets, Vault tokens, Git credentials, CI/CD secrets, SSH keys, browser data, cryptocurrency wallets, password managers, VPN configurations, and local `.env` configuration files. 

The malware also contains regular expression patterns used to extract AWS keys, GitHub tokens, Slack tokens, Stripe secrets, database credentials, JWTs, SSH private keys, and cryptocurrency recovery phrases from files and environment variables. 

On Windows systems, the PHP payload also extracts a base64-encoded executable [VirusTotal] embedded within the file, which is written to the %TEMP% folder as a random .exe filename, and then launched.

BleepingComputer's analysis of the Windows infostealer shows it is named 'DebugElevator' and designed to target Chrome, Brave, and Edge, and extract App-Bound Encryption keys needed to decrypt stored browser credentials.

An embedded PDB path also references the Windows account name 'Mero' and contains 'claude,' potentially indicating that AI was used to assist in developing the Windows malware.

 
C:\Users\Mero\OneDrive\Desktop\stuff\claude\Chromium-DebugElevator\x64\Release\DebugChromium.pdb

The researchers say that once the sensitive data has been extracted, the malware encrypts it and sends it back to the C2 server.

Aikido says they reported the incident to Packagist, which responded quickly by removing the malicious versions and temporarily unlisting the affected packages to prevent additional installations.

Developers using Laravel Lang packages are advised to review installed package versions, rotate exposed credentials, inspect systems for indicators of compromise, and, if possible, check for historical outbound connections to flipboxstudio[.]info.

The Validation Gap: Automated Pentesting Answers One Question. You Need Six.

Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.

This guide covers the 6 surfaces you actually need to validate.

Download Now