Laravel Lang Packages Hijacked to Deploy Credential-Stealing Malware

A sophisticated supply chain attack has compromised the popular Laravel Lang localization packages, exposing PHP developers worldwide to credential-stealing malware. Attackers abused GitHub version tagging to distribute malicious code through Composer packages — one of the most widely used dependency managers in the PHP ecosystem.

How the Attack Unfolded

Security researchers identified a coordinated campaign in which threat actors gained unauthorized access to the Laravel Lang repository and created fraudulent GitHub release tags pointing to tampered package versions. Unlike typical supply chain attacks, the malicious code was not inserted into composer.json directly, making it harder to detect through standard dependency auditing.

The attack specifically targeted the tag-based release mechanism that Composer relies on to resolve package versions. When developers ran composer install or composer update, they unknowingly pulled down the compromised packages.

What the Malware Does

The malicious payload is a cross-platform credential stealer capable of targeting:

• Browser credentials stored in Chromium-based browsers and Firefox
• SSH private keys from developer workstations
• API tokens and secrets from environment files (.env)
• Git credentials and repository access tokens
• Package manager tokens (npm, Composer, PyPI)

The stealer exfiltrates collected credentials to an attacker-controlled command-and-control server, with particular focus on stealing cloud provider access keys and software delivery pipeline credentials — maximizing the attacker's ability to pivot to further supply chain compromises.

Scope and Impact

The Laravel ecosystem is used by an estimated 2 million developers globally, with Laravel Lang packages installed on hundreds of thousands of projects. The breadth of exposure means any developer who updated their Composer dependencies during the attack window may be affected.

Projects in CI/CD pipelines are at particularly high risk, as automated builds may have pulled the malicious packages without human review.

Recommended Actions

Developers and organizations using Laravel should take immediate action:

1. Audit your Composer lock file — review composer.lock for Laravel Lang package versions installed in the past 30 days
2. Rotate all credentials — assume compromise of any secrets accessible from affected machines or pipelines
3. Check for unauthorized access — audit logs for cloud accounts, GitHub, npm, and other platforms connected to affected developer environments
4. Update packages — run composer update to pull clean, verified versions of affected packages
5. Enable Composer integrity verification — use composer audit and consider pinning packages to verified commit hashes

Broader Implications

This attack follows a well-established pattern of targeting widely-used language ecosystem packages to maximize reach. The PHP/Composer ecosystem has historically had fewer supply chain security controls compared to npm or PyPI, making it an increasingly attractive target.

GitHub has since removed the malicious tags and suspended the compromised accounts involved in the attack. Package maintainers are urged to enable two-factor authentication and review their repository access controls.

Developers should treat any environment where a compromised package was installed as fully compromised and initiate credential rotation across all connected services.