Hackers Republished Laravel‑Lang Packages to Deliver PHP Stealer

Attackers republished over 700 tagged versions of multiple Laravel‑Lang PHP packages on May 22 and May 23, 2026, embedding a malicious src/helpers.php file that fetches a credential‑stealing payload. The altered packages include laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes and laravel-lang/actions.

Socket researchers noted the rapid, scripted pattern of the republished tags and concluded the activity points to a compromise of the Laravel‑Lang organization’s release process rather than a single tainted package. Many versions appeared only seconds apart, suggesting automated republishing or abuse of release automation. Investigators say the attacker likely obtained organization‑level credentials, access to repository automation, or control of release infrastructure.

The malicious code is located in src/helpers.php and was added to composer.json under autoload.files. That configuration causes the file to be executed automatically on every PHP request in applications that include the compromised package, enabling the backdoor to run without developer action.

The helpers.php dropper fingerprints infected hosts and contacts an external server at flipboxstudio[.]info to download a secondary PHP payload. The fetched payload runs on Windows, Linux and macOS. On Windows the dropper delivers a Visual Basic Script launcher and executes it via cscript; on Linux and macOS it invokes the stealer using exec().

The stealer generates a unique per‑host marker-an MD5 hash built from the directory path, system architecture and inode-so the payload triggers only once per machine. It then attempts to collect cloud credentials and local secrets, including instance identity documents, IAM roles via metadata endpoints, Google Cloud application default credentials and Microsoft Azure access tokens. The malware also harvests Kubernetes service account tokens, Helm registry data, HashiCorp Vault tokens and authentication tokens for hosting platforms such as DigitalOcean, Heroku, Vercel, Netlify, Railway and Fly.io.

The payload targets continuous integration and deployment tools and developer infrastructure, seeking credentials and tokens from Jenkins, GitLab Runners, GitHub Actions, CircleCI, TravisCI and ArgoCD. It extracts source control credentials and configuration files including .gitconfig, .git-credentials, .netrc, .env, wp-config.php, docker-compose.yml and Docker authentication tokens. The stealer also collects SSH private keys, shell history, RDP files, PuTTY and WinSCP sessions, and data from common email clients.

Cryptocurrency wallet data and browser secrets are among the items targeted. The malware looks for wallet files and seed phrases associated with Electrum, Exodus, Atomic, Ledger Live, Trezor, Wasabi and Sparrow, plus browser extension wallets such as MetaMask and Phantom. It extracts browser history, cookies and login data from Chrome, Edge, Firefox, Brave and Opera and uses an embedded Base64‑encoded Windows executable intended to bypass Chromium app‑bound encryption protections. Local vaults and password managers targeted include 1Password, Bitwarden, LastPass, KeePass, Dashlane and NordPass.

After collecting data the payload encrypts results with AES‑256 and exfiltrates them to flipboxstudio[.]info/exfil, then removes its files from disk. Aikido Security researcher Ilyas Makari characterized the fetched payload as a roughly 5,900‑line PHP credential stealer organized into fifteen specialized collector modules.

Security teams advising on the incident recommend auditing package integrity, rotating exposed credentials and secrets, reviewing CI and repository automation for unauthorized access, and scanning deployments for the infected src/helpers.php and indicators of exfiltration. Researchers continue to monitor the related infrastructure and have published indicators to help projects and operators identify affected versions and remediate impacted systems.