Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer

Overview

Cybersecurity researchers have uncovered a new software supply chain attack targeting the Laravel-Lang PHP package organization. Multiple widely used packages have been poisoned to deliver a comprehensive credential-stealing framework capable of running on Windows, Linux, and macOS environments.

The campaign targets developers who install Laravel internationalization packages via Composer — a common workflow for Laravel applications built for multilingual audiences.

Affected Packages

Researchers identified the following Laravel-Lang packages as compromised:

Package	Purpose
`laravel-lang/lang`	Core language files for Laravel
`laravel-lang/http-statuses`	HTTP status message translations

Additional packages in the laravel-lang namespace may also be affected. Developers should audit all laravel-lang/* dependencies in their projects.

Attack Mechanics

The attackers executed a classic maintainer account hijacking technique:

Account compromise — The threat actors gained access to a package maintainer's credentials or session token
Malicious version push — Poisoned package versions containing a credential-stealing payload were published to Packagist (the primary PHP package repository)
Trojanized install — Developers running composer require laravel-lang/* or composer update would silently pull in the malicious package
Credential harvesting — The payload collects stored browser credentials, SSH keys, API tokens, and environment variables
Exfiltration — Stolen data is sent to attacker-controlled command-and-control infrastructure

The stealer framework is described as cross-platform, meaning a single payload delivery mechanism targets all major operating systems where PHP developers work.

Scope and Impact

Laravel is one of the most popular PHP frameworks in the world, with millions of active installations. The laravel-lang/lang package alone has been downloaded hundreds of millions of times via Packagist. Key impact areas include:

Web application developers using Laravel for enterprise and SaaS applications
DevOps and CI/CD pipelines that automatically pull updated dependencies during build processes
Cloud-hosted environments where stolen credentials could enable lateral movement or privilege escalation
Open-source contributors whose personal development machines may also be targeted

Organizations with automated Composer update processes are at particularly elevated risk — the poisoned packages could have been installed without any manual developer interaction.

Detection and Remediation

Immediate steps for affected organizations:

Audit Composer lock files — Check composer.lock for recent updates to laravel-lang packages and cross-reference against known-malicious version numbers
Rotate all credentials — Treat all credentials accessible from affected developer machines as compromised: API keys, database passwords, SSH keys, cloud credentials
Review CI/CD secrets — If build pipelines pulled affected packages, assume pipeline secrets (GitHub Actions, GitLab CI tokens, etc.) are compromised
Scan for malware persistence — Run endpoint detection tools to identify any remaining malware artifacts or persistence mechanisms
Check environment files — .env files containing database connection strings and API keys are prime targets for this type of stealer

Indicators to look for:

Unexpected outbound connections from developer machines or CI systems
New or modified files in PHP vendor directories with obfuscated code
Unexpected processes spawning from php or Composer-related processes

Broader Supply Chain Context

This attack follows a pattern seen repeatedly in 2025–2026 against package ecosystems including npm, PyPI, RubyGems, and now Packagist. Key trends researchers have noted:

Maintainer account takeovers are increasingly the preferred vector — attackers target individual developer credentials rather than exploiting the repository infrastructure itself
Cross-platform payloads maximize the blast radius by ensuring the malware runs regardless of the victim's OS
CI/CD pipeline targeting multiplies impact by potentially compromising entire organizations through a single developer's dependencies

Sources

The Hacker News — Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer

Overview

The campaign targets developers who install Laravel internationalization packages via Composer — a common workflow for Laravel applications built for multilingual audiences.

Affected Packages

Researchers identified the following Laravel-Lang packages as compromised:

Package	Purpose
`laravel-lang/lang`	Core language files for Laravel
`laravel-lang/http-statuses`	HTTP status message translations

Additional packages in the laravel-lang namespace may also be affected. Developers should audit all laravel-lang/* dependencies in their projects.

Attack Mechanics

The attackers executed a classic maintainer account hijacking technique:

Account compromise — The threat actors gained access to a package maintainer's credentials or session token
Malicious version push — Poisoned package versions containing a credential-stealing payload were published to Packagist (the primary PHP package repository)
Trojanized install — Developers running composer require laravel-lang/* or composer update would silently pull in the malicious package
Credential harvesting — The payload collects stored browser credentials, SSH keys, API tokens, and environment variables
Exfiltration — Stolen data is sent to attacker-controlled command-and-control infrastructure

The stealer framework is described as cross-platform, meaning a single payload delivery mechanism targets all major operating systems where PHP developers work.

Scope and Impact

Web application developers using Laravel for enterprise and SaaS applications
DevOps and CI/CD pipelines that automatically pull updated dependencies during build processes
Cloud-hosted environments where stolen credentials could enable lateral movement or privilege escalation
Open-source contributors whose personal development machines may also be targeted

Organizations with automated Composer update processes are at particularly elevated risk — the poisoned packages could have been installed without any manual developer interaction.

Detection and Remediation

Immediate steps for affected organizations:

Audit Composer lock files — Check composer.lock for recent updates to laravel-lang packages and cross-reference against known-malicious version numbers
Rotate all credentials — Treat all credentials accessible from affected developer machines as compromised: API keys, database passwords, SSH keys, cloud credentials
Review CI/CD secrets — If build pipelines pulled affected packages, assume pipeline secrets (GitHub Actions, GitLab CI tokens, etc.) are compromised
Scan for malware persistence — Run endpoint detection tools to identify any remaining malware artifacts or persistence mechanisms
Check environment files — .env files containing database connection strings and API keys are prime targets for this type of stealer

Indicators to look for:

Unexpected outbound connections from developer machines or CI systems
New or modified files in PHP vendor directories with obfuscated code
Unexpected processes spawning from php or Composer-related processes

Broader Supply Chain Context

This attack follows a pattern seen repeatedly in 2025–2026 against package ecosystems including npm, PyPI, RubyGems, and now Packagist. Key trends researchers have noted:

Maintainer account takeovers are increasingly the preferred vector — attackers target individual developer credentials rather than exploiting the repository infrastructure itself
Cross-platform payloads maximize the blast radius by ensuring the malware runs regardless of the victim's OS
CI/CD pipeline targeting multiplies impact by potentially compromising entire organizations through a single developer's dependencies

Sources

The Hacker News — Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer

Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer

Overview

Affected Packages

Attack Mechanics

Scope and Impact

Detection and Remediation

Broader Supply Chain Context

Sources

Laravel Lang Packages Hijacked to Deploy Credential-Stealing Malware

SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack

GlassWorm Escalates: 72 Malicious Open VSX Extensions Use

Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer

Overview

Affected Packages

Attack Mechanics

Scope and Impact

Detection and Remediation

Broader Supply Chain Context

Sources

Laravel Lang Packages Hijacked to Deploy Credential-Stealing Malware

SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack

GlassWorm Escalates: 72 Malicious Open VSX Extensions Use

Overview

Affected Packages

Attack Mechanics

Scope and Impact

Detection and Remediation

Broader Supply Chain Context

Sources

Related Reading

Overview

Affected Packages

Attack Mechanics

Scope and Impact

Detection and Remediation

Broader Supply Chain Context

Sources

Related Reading