Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1814+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Laravel Lang Packages Hijacked to Deploy
Laravel Lang Packages Hijacked to Deploy
NEWS

Laravel Lang Packages Hijacked to Deploy

A supply chain attack targeting Laravel Lang localization packages has exposed developers to credential-stealing malware after attackers abused GitHub...

Dylan H.

News Desk

May 23, 2026
3 min read

A sophisticated supply chain attack has compromised the popular Laravel Lang localization packages, exposing PHP developers worldwide to credential-stealing malware. Attackers abused GitHub version tagging to distribute malicious code through Composer packages — one of the most widely used dependency managers in the PHP ecosystem.

How the Attack Unfolded

Security researchers identified a coordinated campaign in which threat actors gained unauthorized access to the Laravel Lang repository and created fraudulent GitHub release tags pointing to tampered package versions. Unlike typical supply chain attacks, the malicious code was not inserted into composer.json directly, making it harder to detect through standard dependency auditing.

The attack specifically targeted the tag-based release mechanism that Composer relies on to resolve package versions. When developers ran composer install or composer update, they unknowingly pulled down the compromised packages.

What the Malware Does

The malicious payload is a cross-platform credential stealer capable of targeting:

  • Browser credentials stored in Chromium-based browsers and Firefox
  • SSH private keys from developer workstations
  • API tokens and secrets from environment files (.env)
  • Git credentials and repository access tokens
  • Package manager tokens (npm, Composer, PyPI)

The stealer exfiltrates collected credentials to an attacker-controlled command-and-control server, with particular focus on stealing cloud provider access keys and software delivery pipeline credentials — maximizing the attacker's ability to pivot to further supply chain compromises.

Scope and Impact

The Laravel ecosystem is used by an estimated 2 million developers globally, with Laravel Lang packages installed on hundreds of thousands of projects. The breadth of exposure means any developer who updated their Composer dependencies during the attack window may be affected.

Projects in CI/CD pipelines are at particularly high risk, as automated builds may have pulled the malicious packages without human review.

Recommended Actions

Developers and organizations using Laravel should take immediate action:

  1. Audit your Composer lock file — review composer.lock for Laravel Lang package versions installed in the past 30 days
  2. Rotate all credentials — assume compromise of any secrets accessible from affected machines or pipelines
  3. Check for unauthorized access — audit logs for cloud accounts, GitHub, npm, and other platforms connected to affected developer environments
  4. Update packages — run composer update to pull clean, verified versions of affected packages
  5. Enable Composer integrity verification — use composer audit and consider pinning packages to verified commit hashes

Broader Implications

This attack follows a well-established pattern of targeting widely-used language ecosystem packages to maximize reach. The PHP/Composer ecosystem has historically had fewer supply chain security controls compared to npm or PyPI, making it an increasingly attractive target.

GitHub has since removed the malicious tags and suspended the compromised accounts involved in the attack. Package maintainers are urged to enable two-factor authentication and review their repository access controls.

Developers should treat any environment where a compromised package was installed as fully compromised and initiate credential rotation across all connected services.

Related Reading

  • Laravel-Lang PHP Packages Compromised to Deliver
  • GlassWorm ForceMemo: Stolen GitHub Tokens Used to Poison
  • Claude Code Leak Used to Push Infostealer Malware on GitHub
#Malware#Supply Chain#PHP#Laravel#GitHub

Related Articles

Laravel-Lang PHP Packages Compromised to Deliver

Multiple PHP packages belonging to the Laravel-Lang organization have been poisoned in a software supply chain attack, delivering a cross-platform...

4 min read

North Korean Hackers Target Open Source Developers in Supply Chain Attacks

The PolinRider campaign has compromised more than 100 legitimate open source packages and repositories to deliver a backdoor and information stealer targeting developers worldwide.

5 min read

Clean GitHub Repo Tricks AI Coding Agents Into Running Malware

Researchers demonstrate how a seemingly clean, scanner-safe GitHub repository can silently execute a malicious payload when an AI coding agent clones and...

5 min read
Back to all News