Cybersecurity researchers have uncovered a new software supply chain attack targeting **Laravel-Lang** PHP packages to deliver a comprehensive credential-stealing framework. This attack highlights the increasing sophistication and potential impact of supply chain vulnerabilities. ### Affected Packages The compromised packages include: * laravel-lang/lang * laravel-lang/http-statuses * laravel-lang/attributes * laravel-lang/actions **Socket** reported that the timing of the published tags suggests a broader compromise of the **Laravel Lang** organization's release process. The tags were published rapidly on May 22 and May 23, 2026 (Note: Year is likely a typo in the source), with many versions appearing within seconds of each other. It's believed that the attacker gained access to organization-level credentials, repository automation, or release infrastructure. More than 700 versions have been identified as part of this automated mass tagging or republishing event. ### Attack Vector A unique aspect of this attack is that the project's source code wasn't directly modified. Instead, the attackers rewrote every existing Git tag in each repository to point to a new malicious commit. The malicious code resides in `src/helpers.php`, which is embedded into the version tags. This file fingerprints the infected host and communicates with an external server (`flipboxstudio[.]info`) to retrieve a PHP-based cross-platform payload for Windows, Linux, and macOS. **StepSecurity** noted that the attacker added `src/helpers.php` to the `autoload.files` map in each compromised package. Because every **Laravel** application calls `require __DIR__.'/vendor/autoload.php'` on startup, the payload executes immediately upon booting, without requiring class instantiation or method calls. ### Payload Execution According to **Aikido Security**, the dropper delivers a **Visual Basic Script** launcher on Windows, executed via `cscript`. On Linux and macOS, it executes the stealer payload using `exec()`. **Socket** explained that because `src/helpers.php` is registered in the `composer.json` under `autoload.files`, the backdoor executes automatically on every PHP request handled by the compromised application. The script generates a unique per-host marker (an MD5 hash combining the directory path, system architecture, and inode) to ensure the payload triggers only once per machine, preventing redundant executions and aiding in remaining undetected. ### Data Exfiltration The stealer harvests a wide range of data from compromised systems and exfiltrates it to `flipboxstudio[.]info`. The targeted data includes: * IAM roles and instance identity documents from cloud metadata endpoints. * **Google Cloud** application default credentials. * **Microsoft Azure** access tokens and service principal profiles. * **Kubernetes** Service Account tokens and Helm registry configurations. * Authentication tokens for **DigitalOcean**, **Heroku**, **Vercel**, **Netlify**, **Railway**, and **Fly.io**. * **HashiCorp Vault** tokens. * Tokens and configurations from **Jenkins**, **GitLab Runners**, **GitHub Actions**, **CircleCI**, **TravisCI**, and **ArgoCD**. * Seed phrases and files associated with cryptocurrency wallets (Electrum, Exodus, Atomic, Ledger Live, Trezor, Wasabi, and Sparrow) and extensions (MetaMask, Phantom, Trust Wallet, Ronin, Keplr, Solflare, and Rabby). * Browser history, cookies, and login data from **Google Chrome**, **Microsoft Edge**, **Mozilla Firefox**, **Brave**, and **Opera**, bypassing **Chromium's** app-bound encryption (**ABE**). * Local vaults and browser extension data for **1Password**, **Bitwarden**, **LastPass**, **KeePass**, **Dashlane**, and **NordPass**. * **PuTTY**/WinSCP saved sessions. * Windows Credential Manager dumps. * RDP files. * Session tokens associated with applications like **Discord**, **Slack**, and **Telegram**. * Data from **Microsoft Outlook**, **Thunderbird**, and popular FTP clients (FileZilla, WinSCP, and CoreFTP). * Configuration and credential files containing **Docker** auth tokens, SSH private keys, Git credentials, shell history files, database history files, **Kubernetes** cluster configurations, `.env` files, `wp-config.php`, and `docker-compose.yml`. * Environment variables loaded into the PHP process. * Source control credentials from global and local `.gitconfig` files, `.git-credentials`, and `.netrc` files. * VPN configuration and saved login files for **OpenVPN**, **WireGuard**, **NetworkManager**, and commercial VPNs such as **NordVPN**, **ExpressVPN**, **CyberGhost**, and **Mullvad**. **Aikido** researcher Ilyas Makari stated that the fetched payload is a ~5,900 line PHP credential stealer, organized into fifteen specialist collector modules. After collecting data, it encrypts the results with AES-256 and sends them to `flipboxstudio[.]info/exfil`, then deletes itself to limit forensic evidence.