A supply chain attack targeting the PHP developer community has surfaced through Packagist, the official package repository for PHP and Laravel projects. <\/p>\n
Threat actor\u00a0nhattuanbl\u00a0published several packages that disguised a fully functional remote access trojan (RAT) inside what looked like standard Laravel utility libraries, giving attackers silent and persistent control over any system that installed them.<\/p>\n
The attack relied on a straightforward but effective strategy: blend in. The threat actor published six packages under the same author name between June and December 2024, despite the Packagist account itself dating back to December 2015. <\/p>\n
Three of those packages were completely clean and served as credibility builders, while two,\u00a0nhattuanbl\/lara-helper\u00a0and\u00a0nhattuanbl\/simple-queue, carried an identical malicious payload buried inside a file named\u00a0 A third package,\u00a0nhattuanbl\/lara-swagger, contained no malicious code on its own but silently pulled in\u00a0 Socket.dev analysts identified this remote access trojan<\/a> distributed across the malicious Packagist packages, noting that once installed, the payload connects to a command-and-control (C2) server at\u00a0 The researchers submitted takedown requests to the Packagist team, though the packages remained live at the time of publication.\u200b<\/p>\n The impact of this campaign is wide-reaching. Any Laravel application<\/a> that installed these packages has a persistent RAT running in the same process as the web app, with access to the same environment variables, database credentials, and API keys stored in\u00a0 The payload works on Windows, macOS, and Linux, making it a cross-platform threat that does not discriminate based on the developer\u2019s operating system.\u200b<\/p>\n What makes this attack particularly concerning is that even if the C2 server goes offline, the threat does not disappear. <\/p>\n The RAT retries its connection every 15 seconds indefinitely, meaning the attacker could simply redirect it to a new host at any time without modifying the payload itself. <\/p>\n The RAT-bearing packages, once loaded, operate silently in the background from the moment the application starts.\u200b<\/p>\n The infection chain is built for stealth at every stage. The malicious file\u00a0 The payload uses three distinct obfuscation layers: control flow is shattered into hundreds of randomized\u00a0 Activation works differently depending on which infected package a developer installs. In\u00a0 In\u00a0 Once triggered, the RAT spawns a detached background process of itself, passing a\u00a0 A lock file prevents duplicate instances and expires every 15 minutes.\u200b All traffic between the RAT and its C2 server is encrypted using\u00a0AES-128-CTR, with a hardcoded 16-byte key ( The C2 accepts JSON commands that instruct the RAT to run shell or PowerShell commands<\/a>, capture screenshots, upload or download files, and return full system reconnaissance data including hostname, OS version, user permissions, and a machine unique ID.\u200b<\/p>\n Any team that installed\u00a0 All secrets accessible from the application environment, including database passwords, API keys, and\u00a0 The packages and the\u00a0 Teams should also review outbound traffic to\u00a0 Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Malicious Packages Disguised as Laravel Utilities Deploy PHP RAT and Enables Remote Access<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nsrc\/helper.php<\/code>. <\/p>\nlara-helper<\/code>\u00a0as a hard Composer dependency, making it a clean-looking carrier for a dirty payload.\u200b<\/p>\nhelper[.]leuleu[.]net<\/code>\u00a0on port 2096, transmits a full system profile, and waits for operator commands, giving the attacker complete remote control over the compromised host. <\/p>\n.env<\/code>\u00a0files. <\/p>\n![\"lara-swagger's](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh_MJu2Z59c2Hvjgqi_MYk8WX9h8cRaStEnXDPdH_GTrGnr1DLDOIsYjGgM_BET9vsEq5dDKK_sVPNeUI6LfbAbjc36OphSiBrD5-GvhmM1HojrsjYyaNvtY9nMZ3AVJhhqtUMIjhklM3Z04zCAU8GQ-KjhToBfSDx5yNDxg2zDHYlusLiaBlA6ijeH4v8\/s16000\/lara-swagger%27s%2520composer.json%2520explicitly%2520requires%2520nhattuanbl%2520-%2520lara-helper%2520at%2520dev-master%2520%28Source%2520-%2520Socket.dev%29.webp?ssl=1\")
Inside the Infection Mechanism<\/strong><\/h2>\n
helper.php<\/code>\u00a0is 27,340 bytes and delivered as a single continuous line after the opening\u00a0<?php<\/code>\u00a0tag, making it hard to read at a glance. <\/p>\ngoto<\/code>\u00a0jumps with meaningless labels like\u00a0tc0pE<\/code>\u00a0and\u00a0IlaiV<\/code>; every string literal, including domain names<\/a>, command names, and file paths, is encoded using hexadecimal or octal escape sequences so nothing readable appears in plaintext; and all variable and function names are randomly generated strings like\u00a0$riz07<\/code>\u00a0and\u00a0BsYhQ()<\/code>.<\/p>\n![\"Mitre](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjpOKmX4EC6e46pWy0Yc5z1ifckeyVY3-ThigPZ04y2b2PSMEpngW3n8q37eL3z-p5iFBCYwt5z4upOLINHGEcixwI3n8KFYkbg9oVB9ZdvY71fltmLHdw1pFvPOzES0ZW9b0-P1_K4CCtwmNRZRvSHEvfjozaSoG5lj5ScBh3ZL6wpnFA5mZ8KkVtKLfM\/s16000\/Mitre%2520attack%2520techniques%2520%28Source%2520-%2520Socket.Dev%29.webp?ssl=1\")
lara-helper<\/code>, the package registers a Laravel service provider through Composer\u2019s auto-discovery mechanism, and\u00a0helper.php<\/code>\u00a0is loaded on every single application boot. <\/p>\nsimple-queue<\/code>, the malicious include sits at the file scope level, meaning the payload fires the moment PHP\u2019s autoloader resolves the class, even through a type-hint or a simple\u00a0class_exists()<\/code>\u00a0check. <\/p>\nhelper<\/code>\u00a0argument, while the parent process returns to normal execution so the application never shows any visible signs of infection. <\/p>\nesCAmxUoJkIjTV0n<\/code>) embedded in the payload. <\/p>\nnhattuanbl\/lara-helper<\/code>,\u00a0nhattuanbl\/simple-queue<\/code>, or\u00a0nhattuanbl\/lara-swagger<\/code>\u00a0should treat the affected host as fully compromised. <\/p>\n.env<\/code>\u00a0values, must be rotated immediately. <\/p>\nhelper.php<\/code>\u00a0file should be removed, any files with\u00a0chmod 0777<\/code>\u00a0permissions should be audited, and the lock file at\u00a0{sys_get_temp_dir}\/wvIjjnDMRaomchPprDBzzVSpzh61RCar.lock<\/code>\u00a0should be deleted. <\/p>\nhelper[.]leuleu[.]net:2096<\/code>, audit transitive dependencies, and avoid using\u00a0dev-master<\/code>\u00a0constraints in production environments since they bypass version pinning entirely.\u200b<\/p>\n