Skip to main content
Emerging ThreatsMalware & Ransomware

GitHub Tags Exploited to Deploy Credential-Stealing Malware

Software development workspace with laptop and monitor displaying Git repository interface.

Attackers rewrote hundreds of historical Git tags so that Composer installations of popular Laravel Lang localization packages pulled down a credential-stealing malware payload, security researchers warn: Aikido counted 233 compromised versions across three repositories, while Socket estimated roughly 700 historical versions may have been impacted.

How Git tags were weaponized to serve malicious Composer releases

Researchers at StepSecurity, Aikido Security, and Socket reported that the intrusion did not rely on adding a new malicious release but on rewriting existing Git tags across repositories maintained by the Laravel Lang organization. Rather than modifying the project’s source tree, the attackers pointed tags to commits stored in an attacker-controlled fork. StepSecurity described the change succinctly: "Rather than publishing a new malicious version, the attacker rewrote every existing git tag in each repository to point at a new malicious commit."

The rewrites began at 22:32 UTC against laravel-lang/lang — described as "the flagship Laravel translations package, with 502 tags" — and finished by 00:00 UTC against laravel-lang/actions. The affected packages identified include laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and possibly laravel-lang/actions. The companies emphasized that these Laravel Lang packages are third-party localization packages and are not part of the official Laravel project.

The injected payload: a Composer-loaded dropper and a cross-platform infostealer

When developers installed an affected release via Composer, the installation automatically loaded an injected file named src/helpers.php. That file acted as a dropper: it downloaded a second PHP payload from the attacker's command-and-control server at flipboxstudio[.]info.

According to the reporting, the downloaded PHP payload is a large cross-platform credential stealer for Linux, macOS, and Windows. It harvests cloud credentials, Kubernetes secrets, Vault tokens, Git credentials, CI/CD secrets, SSH keys, browser data, cryptocurrency wallets, password managers, VPN configurations, and local .env configuration files. The malware carries regular-expression patterns designed to extract AWS keys, GitHub tokens, Slack tokens, Stripe secrets, database credentials, JWTs, SSH private keys, and cryptocurrency recovery phrases from files and environment variables.

On Windows systems the PHP payload additionally contains a base64-encoded executable embedded in the file. The executable is written to the %TEMP% folder under a randomized .exe filename and then launched. BleepingComputer's analysis identified the Windows infostealer as "DebugElevator," reporting it targets Chrome, Brave, and Edge and extracts App-Bound Encryption keys needed to decrypt stored browser credentials. An embedded PDB path in the Windows component references a Windows account name and a directory containing "claude" — a detail the researchers say potentially indicates AI-assisted development: C:\Users\Mero\OneDrive\Desktop\stuff\claude\Chromium-DebugElevator\x64\Release\DebugChromium.pdb.

After collecting sensitive material, the malware encrypts the data and exfiltrates it back to the attacker's C2 server.

Scope, indicators, and the timeline researchers established

The three security firms presented overlapping technical signals. Aikido reported 233 compromised versions across three repositories, while Socket warned that roughly 700 historical versions may have been affected. StepSecurity noted that all four repositories shared the same fake author identity, the same modified files, and the same payload behavior, which led them to conclude the activity was "almost certainly the work of one actor using one compromised credential with org wide push access."

By rewriting tags to point at malicious commits in an attacker-controlled fork, the actor effectively made malicious code look like legitimate historical releases; developers who installed those tagged versions via Composer unwittingly retrieved and executed the dropper.

Remediation taken and advised actions for developers and teams

Aikido reported the incident to Packagist, which responded by removing the malicious versions and temporarily unlisting the affected packages to prevent further installations. Researchers advised multiple specific steps for developers who used Laravel Lang packages: review installed package versions, rotate any credentials that may have been exposed, inspect systems for indicators of compromise, and, where possible, check historical outbound connections for contact with flipboxstudio[.]info.

What this means for developers, open-source maintainers, and security teams

  • Developers and security teams: Audit installed versions of laravel-lang packages and any historical installs; prioritize rotating credentials and scanning for exfiltration indicators, including connections to flipboxstudio[.]info.
  • Open-source maintainers: Note that repository metadata (Git tags) can be abused; verify repository and organization push privileges and consider controls that detect or prevent tag rewrites that point to external forks.
  • Enterprise buyers and procurement teams: Temporarily unlisted packages can reduce new risk, but historical installs remain a concern — inventories of deployed package versions and network logs may be needed to assess exposure.

The incident is a reminder that attackers can weaponize distribution metadata as readily as source code. For teams that consumed Laravel Lang packages, the immediate work is concrete: identify affected versions, rotate exposed secrets, and hunt for proof of exfiltration. For maintainers, the record of tag rewrites and a single compromised credential with org-wide push access are stark prompts to harden repository controls and monitoring.

Original reporting: https://www.bleepingcomputer.com/news/security/laravel-lang-packages-hijacked-to-deploy-credential-stealing-malware/