More than 700 versions of Laravel‑Lang packages were republished in rapid succession on May 22 and May 23, 2026 — a flood of tags security researchers say were used to deliver a cross‑platform credential stealer.
Which packages were altered and how the release activity looked
Researchers identified compromises across multiple PHP packages that belong to the Laravel‑Lang organization: laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. Socket reported that, "The timing and pattern of the newly published tags point to a broader compromise of the Laravel Lang organization's release process, rather than a single malicious package version." The tags were published in rapid succession on May 22 and May 23, 2026, with many versions appearing "only seconds apart," and more than 700 versions associated with these packages were identified — a volume Socket characterised as indicative of automated mass tagging or republishing.
The 'src/helpers.php' backdoor and how it runs
The core malicious component is a file named "src/helpers.php" embedded into the compromised version tags. Because that file is registered in composer.json under autoload.files, the backdoor executes automatically on every PHP request handled by the compromised application. Socket explained: "Because this file ['src/helpers.php'] is registered in the composer.json under autoload.files, the backdoor is executed automatically on every PHP request handled by the compromised application."
To avoid repeated infections, the script generates a unique per‑host marker — an MD5 hash that combines the directory path, system architecture, and inode — so the payload triggers only once per machine and reduces redundant executions, helping the attacker remain less visible after the initial run.
Delivery chain: flipboxstudio[.]info and multi‑platform dropper behavior
The backdoor fingerprints the host and contacts an external server, identified in the reporting as flipboxstudio[.]info, to retrieve a PHP‑based payload that is designed to run on Windows, Linux, and macOS. Aikido Security reported that the dropper delivers a Visual Basic Script launcher on Windows and runs it via cscript; on Linux and macOS it executes the stealer payload via exec(). Socket and Aikido both describe this as a two‑stage mechanism: an autoloaded PHP helper calls out to fetch and run a platform‑appropriate stealer.
Fifteen collector modules: what the stealer takes
Aikido Security analysed the fetched payload as "a ~5,900 line PHP credential stealer, organised into fifteen specialist collector modules," and detailed an expansive list of data the malware is designed to collect and exfiltrate. After collection, the stealer encrypts results with AES‑256 and sends them to flipboxstudio[.]info/exfil, then deletes itself from disk to limit forensic evidence, according to researcher Ilyas Makari.
- Cloud and infrastructure credentials: IAM roles and instance identity documents (via metadata endpoints), Google Cloud application default credentials, Microsoft Azure access tokens and service principal profiles, Kubernetes Service Account tokens and Helm registry configurations.
- Platform and service tokens: Authentication tokens for DigitalOcean, Heroku, Vercel, Netlify, Railway, Fly.io, and HashiCorp Vault tokens.
- CI/CD and developer tooling: Jenkins, GitLab Runners, GitHub Actions, CircleCI, TravisCI, and ArgoCD tokens and configurations; source control credentials from .gitconfig, .git-credentials, and .netrc.
- Cryptocurrency and wallet data: Seed phrases and wallet files for Electrum, Exodus, Atomic, Ledger Live, Trezor, Wasabi, Sparrow and browser extensions such as MetaMask, Phantom, Trust Wallet, Ronin, Keplr, Solflare, and Rabby.
- Browsers, vaults and local credentials: Browser history, cookies, and login data from Google Chrome, Microsoft Edge, Mozilla Firefox, Brave, and Opera (including a Base64‑encoded embedded Windows executable to bypass Chromium ABE protections); 1Password, Bitwarden, LastPass, KeePass, Dashlane, and NordPass vaults and extension data; Windows Credential Manager dumps; PuTTY/WinSCP saved sessions; RDP files.
- Application files and configuration: Outlook and Thunderbird data, FTP client data (FileZilla, WinSCP, CoreFTP), Docker auth tokens, SSH private keys, .env files, wp-config.php, docker-compose.yml, shell and database history files, and environment variables loaded into the PHP process.
What this means for open‑source maintainers, security teams, and cloud operators
Open‑source maintainers will face scrutiny of release pipelines: Socket suspects the attacker "may have managed to obtain access to organization-level credentials, repository automation, or release infrastructure," a possible explanation for the burst of automated tags. Security teams operating applications that consume these packages must account for the autoload.files behavior that causes immediate execution of the helpers file on every PHP request. Cloud and infrastructure teams should note the specific cloud artifacts targeted — instance identity documents, Google Cloud ADCs, Azure tokens, Kubernetes service account tokens and Helm registries — because those are explicitly named in the stealer's collection list.
The combined features reported — automated mass republishing, an autoloaded helper that fetches a multi‑platform stealer, and an AES‑encrypted exfil endpoint at flipboxstudio[.]info/exfil — make this a high‑impact supply‑chain compromise for any application using the affected laravel-lang packages.
Original reporting: https://thehackernews.com/2026/05/laravel-lang-php-packages-compromised.html




