We have entered a "new era" of security requirements for our Laravel projects and need to be extra careful what packages we install/update. Let me show you what happened this weekend, and how to be prepared for the future.

My full new text-based course "Practical Laravel Security: Packages, Secrets, Supply-Chain Attacks" https://laraveldaily.com/course/laravel-security-composer?mtm_campaign=youtube-260525-security-course

Laravel Daily

A supply chain attack targeted the laravel-lang package by injecting malicious code via git tags on forks, which executed at autoload time and stole credentials, SSH keys, and environment secrets from any machine running composer update during the attack window. The attack was stopped quickly by Ikido Security but highlights a broader threat. Practical Composer security tips include: always commit composer.lock, run targeted composer updates instead of blanket updates, use composer audit to check for known vulnerabilities, minimize external dependencies by questioning whether each package is truly necessary, and monitor social media (especially Twitter) for active security incidents before running updates.

Important: "laravel-lang" Attack and Composer Security Tips