Laravel-Lang Supply Chain Massacre: 700+ Compromised PHP Versions Dropping Full-Spectrum Info-Stealer + Video

Listen to this Post

Featured Image

Introduction

A sophisticated supply chain attack has compromised over 700 historical versions of the community-maintained Laravel Lang localization packages after attackers abused a GitHub feature that allows tags to point to commits in forks. The malware—a cross-platform credential harvester targeting AWS keys, Kubernetes secrets, browser passwords, crypto wallets, and `.env` files—auto-executes on every PHP request via Composer’s autoloader, with C2 communication at `flipboxstudio[.]info` and TLS verification disabled to evade network defenses.

Learning Objectives

  • Objective 1: Understand the novel GitHub tag-rewriting attack vector and how it bypassed traditional code-review safeguards.
  • Objective 2: Learn to detect compromised Composer packages using composer audit, lockfile hash verification, and Indicators of Compromise (IoCs).
  • Objective 3: Implement multi-layered mitigations including forced secret rotation, vendor directory sanitization, and Composer 2.9+ security blocking.

You Should Know

  1. GitHub Tag Poisoning: How Attackers Rewrote 700 Versions Without Touching Source Code

The attackers never committed malicious code to the official repositories. Instead, they exploited a little-known GitHub behavior: Git tags can reference commits inside forks of the same repository. After forking the target repo and injecting a malicious `src/helpers.php` (registered under `autoload.files` in composer.json), the attacker—armed with compromised push access to the Laravel-Lang organisation—force‑pushed every existing tag to point at the malicious fork commit. The entire operation took roughly 15 minutes, with 502 tags rewritten in the flagship `lang` repository between 22:32 and 23:24 UTC on May 22, 2026.

Step‑by‑step guide to detect and remove poisoned packages:

1. Audit your `composer.lock` for affected packages:

Search for any laravel-lang package in your lockfile
grep -E '"name":\s"laravel-lang/(lang|http-statuses|attributes|actions)"' composer.lock

2. Run a full Composer security audit:

Composer 2.5+ required — scans against Packagist advisory database
composer audit

For CI/CD integration, use JSON output:

composer audit --format=json --no-dev --fail-on-security-violations

3. Verify commit hashes against known‑good references:

Extract commit hash for a specific package from lockfile
jq '.packages[] | select(.name == "laravel-lang/lang") | .dist.reference' composer.lock

Compare with the official clean commit hashes published by Laravel-Lang maintainers. If mismatched, treat the environment as compromised.

  1. Clear Composer cache and reinstall from trusted sources:
    composer clear-cache
    rm -rf vendor/
    composer install --no-scripts --prefer-dist
    

  2. Multi-Stage Payload Deep Dive: From Dropper to Full-Spectrum Credential Stealer

The infection chain begins with src/helpers.php, which looks like a harmless localization helper but contains an auto‑executing block. It fingerprints the host using a hash of the file path, hostname, and inode, then writes a marker file to the system temp directory so the payload runs only once per machine. The C2 domain `flipboxstudio[.]info` is obfuscated inside an integer array and reconstructed at runtime to evade static scanners. The dropper fetches a secondary payload using `file_get_contents()` (with a cURL fallback) with SSL verification disabled, then executes it—via `exec()` on Linux/macOS, or via a `.vbs` launcher on Windows.

The second-stage payload (~5,900 lines of PHP) organizes itself into 15–17 specialist collector modules that systematically harvest:

Category | Targets

Cloud credentials | AWS keys (from env, ~/.aws/credentials, EC2 metadata), GCP ADC databases, Azure MSAL caches, DigitalOcean/Heroku/Vercel tokens |
| Infrastructure secrets | All `kubeconfig` files (/etc/kubernetes/admin.conf), HashiCorp Vault tokens, Helm repo configs, `dockerconfig.json` |
| Developer assets | SSH private keys, .git-credentials, .npmrc, .pypirc, GitHub/GitLab CLI tokens, shell history (bash, zsh, psql, mysql, python) |
| Application configs | All `.env` files, wp-config.php, settings.py, docker-compose.yml, `secrets.yaml` |
| Browsers | Saved passwords from 17 Chromium‑based browsers (Chrome, Edge, Brave, Opera, etc.) |
| Crypto wallets | Seed phrases and wallet files |
| Password managers | Locally cached credential vaults |

After collection, data is AES‑256 encrypted and exfiltrated to flipboxstudio[.]info/exfil, then the payload self‑deletes to limit forensic evidence.

Forensic commands to detect post‑exploitation activity:

Check for marker file written by dropper
ls -la /tmp/.marker Linux/macOS
dir %TEMP%.marker Windows (PowerShell)

Search for suspicious PHP payload downloads in web logs
grep "flipboxstudio.info" /var/log/nginx/access.log
grep "file_get_contents.payload" /var/log/php-fpm/.log

Look for unexpected outbound connections on port 443 (exfil)
netstat -an | grep ":443" | grep ESTABLISHED
ss -tunap | grep flipboxstudio Linux with connection tracking
  1. Incident Response: Immediate Action Items for Compromised Environments

If you ran `composer update` or `composer install` on or after May 22, 2026 22:32 UTC for any `laravel-lang/` package, treat every secret in that environment as compromised.

Step‑by‑step containment and recovery:

  1. Isolate affected systems – Take production servers, CI runners, and developer workstations offline where possible.
  2. Rotate every credential touched by the stealer – Use the checklist below to ensure no secret is left exposed:
  • AWS keys (access/secret + session tokens)
  • GCP service account keys and ADC tokens
  • Azure managed identities and access tokens
  • All Kubernetes service account tokens and `kubeconfig` certs
  • HashiCorp Vault tokens and unseal keys
  • GitHub/GitLab PATs, GITHUB_TOKEN, GitLab CI tokens
  • Docker Hub and container registry credentials
  • SSH private keys (regenerate and redeploy)
  • Database passwords (MySQL, PostgreSQL, Redis, MongoDB)
  • Application `APP_KEY` (Laravel encryption key)
    – `.env` secrets for all environments (dev/staging/prod)
  • Browser saved passwords and password manager vaults
  1. Rebuild from known‑good images – Do not simply remove the malicious package; rebuild containers, VMs, and CI runners from clean snapshots.
  2. Revoke and reissue compromised tokens – Check cloud provider audit logs for anomalous API calls from `flipboxstudio[.]info` or unknown IP addresses.

  3. Hardening Composer Against Supply Chain Attacks: Lockfiles, Signatures, and Allow‑Plugins

The Laravel-Lang incident underscores that Composer’s default behaviour is not secure by default. Implement these hardening measures immediately:

Step‑by‑step Composer security configuration:

  1. Always commit `composer.lock` to version control and never run `composer update` in production. Use `composer install –no-dev –optimize-autoloader` for production deployments.

2. Enable tag signature verification (Composer 2.5+):

composer config -g security.signature-verification true
composer show --security Verify status

Note: This verifies package integrity (shasum), not developer identity—it confirms “this is the original package from the trusted source”.
3. Restrict Composer plugins using allow‑plugins whitelist: In composer.json:

{
"config": {
"allow-plugins": {
"composer/installers": true,
"dealerdirect/phpcodesniffer-composer-installer": true,
"": false
}
}
}

This prevents arbitrary plugin code execution during `install`/`update`.

4. For private packages, mitigate dependency confusion:

Force private repo priority and disable Packagist fallback
composer config repositories.my-private vcs https://gitlab.com/myorg/private-package
composer config --json repositories.packagist false

Use scoped prefixes (e.g., @acme/package) and lock versions in composer.lock.

  1. Network Defences and Egress Controls to Block C2 Communication

Even if a compromised package slips through, proper network controls can prevent data exfiltration. The malware’s disabling of TLS verification is a critical detection signal.

Step‑by‑step egress hardening:

  1. Block the malicious C2 domain at the DNS and firewall level:
    Add to /etc/hosts (Linux/macOS) or C:\Windows\System32\drivers\etc\hosts (Windows)
    0.0.0.0 flipboxstudio.info
    ::1 flipboxstudio.info
    

    For enterprise environments, add to DNS sinkhole or firewall blacklist.

  2. Configure egress filtering to block outbound HTTPS to unknown destinations:
    iptables example — allow only known good domains
    iptables -A OUTPUT -p tcp --dport 443 -m string --string "flipboxstudio.info" --algo bm -j DROP
    

    For containers and Kubernetes, enforce network policies that restrict egress to essential external services.

  3. Monitor for outbound requests with SSL verification disabled – Use eBPF or a service mesh to detect `file_get_contents()` with stream_context_set_option('verify_peer', false). Alert on any PHP process making HTTP requests with CURLOPT_SSL_VERIFYPEER = 0.

  4. Continuous Monitoring: CI/CD Integration and Automated Advisory Scanning

The Laravel-Lang attack went undetected for hours because most teams lack automated dependency integrity checks. Implement these controls:

Step‑by‑step CI/CD hardening:

  1. Run `composer audit` on every pull request and before deployment: Include in your GitHub Actions workflow:
    </li>
    </ol>
    
    - name: Composer Security Audit
    run: composer audit --format=json --no-dev --fail-on-security-violations
    

    2. Use Snyk CLI or Socket.dev for deeper dependency scanning:

    Snyk — automatically detects vulnerable packages from composer.lock
    snyk test --severity-threshold=high
    

    Snyk’s advisory for this incident provides continuous monitoring for newly discovered IoCs.
    3. Hash‑pin your dependencies: In CI scripts, verify that downloaded packages match a known‑good hash before extracting:

    Example for a specific package — fails if hash mismatches
    expected_hash="fc384bc1234567890abcdef..."
    actual_hash=$(composer show --format=json laravel-lang/lang | jq -r '.dist.shasum')
    [ "$actual_hash" = "$expected_hash" ] || exit 1
    

    4. Enable automatic security blocking in Composer 2.9+: This is now enabled by default and stops installation of any package with a known vulnerability. Verify with:

    composer config audit.block-insecure Should return true
    

    What Undercode Say

    Key Takeaway 1: This attack rewrites the playbook for package manager compromises—GitHub tags can point anywhere, and Packagist blindly trusts them. Never assume a version tag maps to clean source code.

    Key Takeaway 2: The malware’s scope (17 collector modules) proves that credential stealers have become enterprise‑grade tools. A single compromised developer workstation can lose AWS keys, Kubernetes tokens, and crypto wallets simultaneously.

    Analysis: The Laravel-Lang incident is not an isolated failure of the Laravel ecosystem—it exposes a platform-level trust flaw in how GitHub and Packagist resolve tags. Because tags are mutable pointers, any organisation that loses push access becomes an instant malware distribution hub. The attacker used automated mass tag rewriting (502 tags in 52 minutes), indicating a scripted, professional operation. The C2 domain obfuscation (integer array reconstruction) and anti‑forensic self‑deletion are advanced evasion techniques rarely seen in PHP supply chain attacks. This campaign likely shares TTPs with the “Mini Shai‑Hulud” campaign tracked by Wiz and Socket, suggesting a coordinated wave targeting both npm and PHP ecosystems.

    The most dangerous aspect is the silent execution—developers running `composer update` see no error, no warning, and no changed source code in the official repo. By the time IoCs were published, the attacker had already exfiltrated credentials from countless CI pipelines. This underscores the need for cryptographic tag signing (a feature GitHub does not yet enforce) and network‑level zero‑trust that assumes every dependency is malicious until proven otherwise.

    Prediction

    This attack will accelerate three industry shifts: (1) Package managers will move toward immutable, signed version references (similar to npm’s `integrity` hashes but enforced at the registry level); (2) Organisations will adopt ephemeral CI runners and secret‑less authentication (e.g., OIDC with AWS STS) to eliminate long‑lived credentials exposed by info‑stealers; (3) Runtime dependency firewalls (e.g., eBPF-based monitoring for PHP processes) will become standard in production, automatically blocking any outbound connection to unapproved domains—especially those made with TLS verification disabled. Expect a formal GitHub advisory on tag mutability and Packagist to require commit hash pinning for all new releases within the next six months.

    ▶️ Related Video (86% Match):

    🎯Let’s Practice For Free:

    IT/Security Reporter URL:

    Reported By: Laravel Lang – Hackers Feeds
    Extra Hub: Undercode MoN
    Basic Verification: Pass ✅

    🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

    💬 Whatsapp | 💬 Telegram

    📢 Follow UndercodeTesting & Stay Tuned:

    𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky