top of page

Supply Chain Attack: 700+ Laravel Lang Versions Infected with RCE Backdoor

  • May 23
  • 3 min read

Key Findings


  • Over 700 historical versions of laravel-lang localization packages compromised with RCE backdoors across multiple repositories

  • Attack occurred May 22-23, 2026 with automated mass tag publishing seconds apart, indicating infrastructure-level breach

  • Malicious code executes automatically via composer autoload.files on every PHP request in affected applications

  • Second-stage payload deploys 17 specialized credential collectors targeting cloud keys, Kubernetes tokens, wallet seeds, and browser credentials

  • Any application with compromised versions installed is actively compromised and requires immediate incident response


Background


The PHP ecosystem is facing a significant supply chain attack targeting the Laravel Lang GitHub organization, which maintains community-driven localization packages used by countless Laravel applications. While these packages are third-party rather than part of the official Laravel framework, their widespread adoption makes the risk to production environments enormous. The compromise affects multiple repositories under the organization, with malicious versions automatically executing hostile code the moment Composer's autoloader initializes during normal application runtime.


Coordinated Automation: The Attack Pattern


On May 22 and May 23, 2026, security researchers observed an unusual pattern of rapid-fire tag releases across multiple laravel-lang repositories including laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. What stood out immediately was the timing—many tags created literally seconds apart, a pattern completely inconsistent with normal package maintenance workflows. This coordinated, high-speed automation strongly suggests either a broad compromise of the organization's release infrastructure or wholesale credential theft, rather than an isolated incident affecting a single repository.


Under the Hood: The Multi-Stage Infection


The primary infection vector hides within src/helpers.php, a file hooked directly into composer.json under autoload.files. This placement is critical to the attack's lethality because it guarantees the backdoor executes automatically on every single PHP request the compromised application handles.


The execution chain uses several deliberate stealth tactics to avoid detection. The Command and Control hostname (flipboxstudio[.]info) is dynamically reconstructed at runtime using character codes to bypass static string scanning tools. The script then reaches out to retrieve a second-stage payload while explicitly disabling TLS verification to slip past security proxies. On Unix systems it places itself in a hidden temp directory and executes in the background using native PHP execution methods, while on Windows it deploys a Visual Basic script via cscript to maintain persistence.


The Real Menace: A 17-Collector Info-Stealer


Once the second stage drops, the attack reveals itself as far more sophisticated than a simple command shell. It's a highly advanced, cross-platform credential harvesting framework that initializes 17 distinct "Collectors" designed to completely strip infected systems.


The cloud and infrastructure collectors target local configurations and actively query cloud metadata endpoints like AWS EC2 IMDS, stealing IAM roles and environment variables from Azure, Google Cloud, and Heroku. DevOps pipeline collectors dump Kubernetes Service Account tokens, strip local kubeconfig configurations, recursively query HashiCorp Vault APIs, and pillage build infrastructure including Jenkins and GitHub Actions. Local collectors scan for cryptocurrency seed files and deploy an embedded Windows executable called DebugChromium.exe specifically engineered to bypass Chrome App-Bound Encryption, extracting master keys and saved browser credentials in the process.


Incident Response Action Items


Organizations at every level must treat affected systems as actively compromised and move immediately on multiple fronts. Inspect composer.lock files right now for any laravel-lang packages and block all updates until verified clean releases are published. Because the stealer targets nearly every tier of infrastructure credentials, rotate cloud keys, Kubernetes tokens, Vault secrets, SSH keys, database passwords, and your application's APP_KEY. Rebuild all compromised application hosts, containers, and CI runners entirely from known-good images. Make sure you preserve process execution logs, composer.lock artifacts, network and DNS logs, and temporary directory contents for deeper forensic analysis.


Sources


  • https://securityonline.info/laravel-lang-supply-chain-attack-rce-backdoor/

  • https://www.reddit.com/r/SecOpsDaily/comments/1tl5p6p/laravel_lang_compromised_with_rce_backdoor_across

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page