A supply chain attack was detected on May 22, 2026 targeting three popular Laravel-Lang packages (laravel-lang/lang, laravel-lang/attributes, laravel-lang/http-statuses), compromising 233 versions. The attacker exploited a GitHub feature allowing version tags to point to commits in a malicious fork, injecting a credential stealer via composer's autoloader without ever committing to the official repos. The malicious code drops a ~5,900 line PHP stealer that collects cloud credentials (AWS, GCP, Azure), SSH keys, browser passwords, crypto wallets, VPN configs, and more, then exfiltrates them AES-256 encrypted to flipboxstudio[.]info before self-deleting. Packagist has taken down the malicious versions. Indicators of compromise and detection guidance are provided.
Table of contents
Stage 1: The dropperStage 2: The stealerHow Aikido detects thisIndicators of CompromiseSort: