Full Report
A supply chain attack targeting the Laravel Lang localization packages has exposed developers to a sophisticated credential-stealing malware campaign after attackers abused GitHub version tags to distribute malicious code through Composer packages. [...]
Analysis Summary
# Incident Report: Laravel Lang Supply Chain Attack
## Executive Summary
In May 2026, the third-party Laravel Lang organization suffered a sophisticated supply chain attack where attackers hijacked multiple GitHub repositories. By abusing GitHub version tags to point toward malicious commits in a fork, the attackers distributed a cross-platform credential stealer via the Composer package manager. The campaign targeted developers and CI/CD environments to harvest high-value secrets, including cloud credentials and Kubernetes tokens.
## Incident Details
- **Discovery Date:** May 22-23, 2026
- **Incident Date:** Began May 22, 2026, at 22:32 UTC
- **Affected Organization:** Laravel Lang (Third-party localization project)
- **Sector:** Software Development / Open Source Ecosystem
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** May 22, 2026, 22:32 UTC
- **Vector:** Compromised credential with organization-wide push access.
- **Details:** The attacker began rewriting existing Git tags across major repositories (`laravel-lang/lang`, `http-statuses`, `attributes`, and `actions`).
### Lateral Movement
- **Mechanism:** The attack exploited the way Composer resolves GitHub tags. By pointing legitimate version tags to a malicious fork, the "movement" occurred downstream as developers and automated systems pulled the "updated" (compromised) packages.
### Data Exfiltration/Impact
- **Details:** The malware targeted sensitive data including AWS keys, GitHub tokens, Slack/Stripe secrets, Kubernetes secrets, Vault tokens, SSH keys, and local `.env` files. On Windows, it specifically targeted App-Bound Encryption keys in Chromium-based browsers.
### Detection & Response
- **Discovery:** Identified by security firms StepSecurity, Aikido Security, and Socket.
- **Response Actions:** Packagist (the PHP package repository) removed malicious versions and temporarily unlisted affected packages.
## Attack Methodology
- **Initial Access:** Hijacked organization-wide GitHub credentials.
- **Persistence:** Tag rewriting ensured that any fresh install or update of "stable" versions would fetch the malicious code.
- **Defense Evasion:** Abused GitHub’s feature allowing tags to point to commits in repository forks, avoiding direct modification of the main branch source code visible in standard pull requests.
- **Credential Access:** Used regex patterns to scan for API keys and tokens; used "DebugElevator" to bypass Windows App-Bound Encryption for browser credentials.
- **Collection:** Automated harvesting of `.env` files, CI/CD secrets, and browser data.
- **Exfiltration:** Data was encrypted and sent to a C2 server.
- **Impact:** Potential for widespread secondary breaches via stolen infrastructure credentials.
## Impact Assessment
- **Financial:** High potential cost due to the need for enterprise-wide credential rotations and post-compromise audits.
- **Data Breach:** Massive exposure of developer secrets (Cloud, Git, CI/CD, and DB credentials).
- **Operational:** Temporary unlisting of critical translation packages disrupted development workflows for Laravel users.
- **Reputational:** Damage to the Laravel Lang third-party organization; highlights risks in the PHP/Composer ecosystem.
## Indicators of Compromise
- **Network:** Outbound connections to `flipboxstudio[.]info`.
- **File:** Presence of `src/helpers.php` (malicious dropper) in Laravel Lang package directories.
- **File:** `%TEMP%\[random].exe` (Windows DebugElevator executable).
- **Behavioral:** Unauthorized rewriting of historical Git tags; unexpected `autoload` entries in `composer.json`.
## Response Actions
- **Containment:** Packagist removed malicious versions and unlisted packages to halt distribution.
- **Eradication:** Security researchers identified the scope (approx. 233 to 700 versions affected).
- **Recovery:** Package maintainers tasked with restoring legitimate Git tags and securing organization accounts.
## Lessons Learned
- **Tag Mutability:** Relying on Git tags for security is insufficient, as tags can be deleted and recreated to point to different commits (unlike immutable content hashes).
- **Organization Security:** Lack of Multi-Factor Authentication (MFA) or overly broad "org-wide" push access for a single credential creates a single point of failure.
## Recommendations
- **For Developers:** Implement `composer.lock` files to ensure hash-based integrity and use tools to audit dependencies for known vulnerabilities.
- **For Maintainers:** Enforce MFA for all organization members, use protected branches, and monitor for tag-deletion events.
- **For Infrastructure:** Treat developer machines as high-risk environments and limit the lifespan of local `.env` secrets.