Table of Contents
Introduction
Cybersecurity researchers have uncovered a large-scale software supply chain attack targeting the PHP and Laravel ecosystem. Researchers discovered that attackers had injected malicious code into multiple popular Laravel-Lang packages distributed through Composer – PHP’s widely used dependency manager. The malicious code was specifically designed to silently steal credentials from infected systems.
The attack is not a simple infostealer. It functions more like a professional cyber espionage toolkit, capable of harvesting cloud credentials, CI/CD secrets, cryptocurrency wallet data, browser sessions, VPN configurations, and Kubernetes tokens – across Windows, Linux, and macOS.
Which Packages Were Compromised?
Researchers identified four Laravel-Lang packages that were weaponized:
laravel-lang/langlaravel-lang/http-statuseslaravel-lang/attributeslaravel-lang/actions
Security researchers detected suspicious publishing activity between May 22 and May 23, 2026. Attackers published over 700 malicious package versions within seconds of each other. This pattern strongly points to automated mass publishing – something no legitimate maintainer would do.
Investigators believe the attackers may have compromised:
- Organization-level publishing credentials.
- Repository automation pipelines.
- CI/CD release systems or tokens.
How Does the Malware Work?
The attack’s core payload lives inside a malicious file: src/helpers.php.
This file was placed inside Composer’s autoload configuration. That means the malware executes automatically on every PHP request – no manual trigger required. Simply installing or updating the compromised package can silently initiate the infection chain.
Infection Flow
- The malware fingerprints the target machine using system architecture, directory paths, and inode values
- It generates a unique MD5 identifier to avoid reinfecting the same machine.
- It contacts an external command-and-control (C2) server at
flipboxstudio[.]info. - A payload of nearly 5,900 lines of PHP code is downloaded and executed.
What Data Does It Steal?
Cloud Infrastructure Credentials
- AWS IAM roles and instance identity documents.
- Google Cloud credentials.
- Azure access tokens.
- Kubernetes service account tokens and Helm registry configurations.
- Credentials from DigitalOcean, Heroku, Vercel, Netlify, Railway, and Fly.io.
CI/CD Pipeline Secrets
- Jenkins, GitLab Runners, GitHub Actions
- CircleCI, TravisCI, ArgoCD
Cryptocurrency Wallets
- Desktop wallets targeted: Electrum, Exodus, Atomic Wallet, Ledger Live, Trezor, Wasabi, Sparrow.
- Browser extensions targeted: MetaMask, Phantom, Trust Wallet, Ronin, Keplr, Solflare, Rabby.
Browser Data
Cookies, saved passwords, history, and login sessions from Chrome, Edge, Firefox, Brave, and Opera. The malware also includes an embedded executable to bypass Chromium’s App-Bound Encryption.
Passwords, Keys & More
- 1Password, Bitwarden, LastPass, KeePass, Dashlane, NordPass.
- SSH private keys, Docker auth tokens,
.envfiles. - Kubernetes configs, Git credentials, and database history files.
- NordVPN, ExpressVPN, CyberGhost, and Mullvad configurations.
- RDP files, Windows Credential Manager, Outlook, and Thunderbird data.
- FileZilla, WinSCP, Slack tokens, Discord sessions, Telegram auth tokens.
Cross-Platform by Design
The attackers built this malware to run across all major platforms – not just a single operating system like most supply chain attacks.
- Windows: Deploys a Visual Basic Script launcher executed via
cscript. - Linux/macOS: Payload is launched directly through PHP’s
exec()function.
Why Is This Attack So Difficult to Detect?
The abuse of Composer’s autoload system is what makes this campaign particularly stealthy:
- Developers rarely inspect automatically loaded vendor files.
- The payload initially appears as standard PHP code.
- Execution happens inside trusted application processes.
- Standard antivirus tools may not flag it.
How to Check If You Are Affected?
Run the following commands to inspect your environment:
Find recently modified Composer packages:
find vendor/ -type f -mtime -7Search for the malicious C2 domain:
grep -R "flipboxstudio" vendor/Detect dangerous exec functions:
grep -R "exec(" vendor/
grep -R "shell_exec(" vendor/Audit Composer packages:
composer validate
composer auditInspect autoloaded files:
cat vendor/composer/autoload_files.phpSearch for hidden PHP droppers:
find . -name "*.php" | xargs grep "base64_decode"What Should Developers Do Now?
- Pin your dependencies – avoid open version ranges in
composer.json. - Run
composer auditregularly to catch known vulnerabilities. - Review code diffs before accepting package updates.
- Use
composer install --no-dev --prefer-distin production. - Monitor outbound network traffic from your servers.
- Rotate all cloud credentials, SSH keys, and API tokens if you used any affected packages.
- Enable package signing verification where available.
Conclusion
This Laravel ecosystem attack is a defining moment for PHP supply chain security, and a warning that applies well beyond one language or framework.
Attackers no longer need to breach enterprise firewalls directly. Compromising a trusted package maintainer or CI/CD pipeline gives them a free ride into thousands of production environments at once.
Cloud credential theft is increasingly replacing ransomware as a primary goal, because stolen tokens can quietly generate revenue through cryptomining, data resale, or infrastructure hijacking. It often occurs without triggering alarms.
The multi-platform nature of this malware, combined with its breadth of targets (from developer laptops to Kubernetes clusters to crypto wallets), signals a highly organized, financially motivated operation – not opportunistic hacking.
Expect this incident to accelerate the adoption of signed package enforcement, stricter maintainer verification, and behavioral monitoring across Composer, npm, PyPI, and other open-source ecosystems. Organizations that still treat dependency management as a low-risk routine task are overdue for a policy review.