{"id":13100,"date":"2026-05-23T10:03:41","date_gmt":"2026-05-23T10:03:41","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/05\/23\/hackers-compromised-233-versions-of-laravel-lang-packages-by-hacking-700-github-repos\/"},"modified":"2026-05-23T10:03:41","modified_gmt":"2026-05-23T10:03:41","slug":"hackers-compromised-233-versions-of-laravel-lang-packages-by-hacking-700-github-repos","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/05\/23\/hackers-compromised-233-versions-of-laravel-lang-packages-by-hacking-700-github-repos\/","title":{"rendered":"Hackers Compromised 233 Versions of Laravel-Lang Packages by Hacking 700 GitHub Repos"},"content":{"rendered":"

Hackers Compromised 233 Versions of Laravel-Lang Packages by Hacking 700 GitHub Repos
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A highly sophisticated supply chain attack has compromised the Laravel-Lang ecosystem, injecting credential-stealing remote code execution backdoors into 233 package versions across 700 GitHub repositories.<\/p>\n

Discovered in May 2026 by Socket and Aikido, threat actors manipulated GitHub tags to distribute malware through Composer\u2019s autoloader, granting complete remote access to developer environments.<\/p>\n

The attackers bypassed direct repository commits by exploiting GitHub\u2019s version tagging system<\/a> to point legitimate tags toward a malicious fork.<\/p>\n

When developers pulled the affected localization packages via Packagist, the malicious src\/helpers.php<\/code> executed automatically due to Composer\u2019s autoload.files<\/code> directive. This method effectively hid the malware from standard repository audits while inheriting full web application permissions.<\/p>\n

The initial infection phase utilizes a stealthy dropper that masquerades as a standard Laravel localization function. It fingerprints the host system using specific hardware metrics and establishes a temporary marker file to prevent redundant executions.<\/p>\n

Aikido observed<\/a> that the payload disables SSL verification and fetches a secondary script from an obfuscated command-and-control server, launching it silently via OS-specific methods.<\/p>\n

Payload Execution Methods<\/strong><\/h2>\n
\n\n\n\n\n\n\n\n
Operating System<\/th>\nExecution Mechanism<\/th>\nPrivilege Level<\/th>\n<\/tr>\n<\/thead>\n
Linux<\/td>\nBackground execution using exec(\"php ...\")<\/code>\n<\/td>\nApplication user<\/td>\n<\/tr>\n
macOS<\/td>\nBackground execution using exec(\"php ...\")<\/code>\n<\/td>\nApplication user<\/td>\n<\/tr>\n
Windows<\/td>\nGenerated .vbs<\/code> script running via cscript<\/code>\n<\/td>\nApplication user<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

The fetched payload is an extensive PHP credential stealer containing 15 specialized collector modules. It systematically targets sensitive developer secrets, including cloud metadata, database credentials, and environment configuration files.<\/p>\n

After harvesting the secrets, the malware encrypts the payload using AES-256 and exfiltrates it to the attacker\u2019s infrastructure before deleting itself to evade forensic detection<\/a>.<\/p>\n

The malware framework systematically strips the infected machine of high-value configurations and credentials:<\/p>\n