Laravel-Lang Attack Compromises 233 Package Versions via GitHub Tags, Stealing Cloud and Browser Credentials
Updated
Updated · aikido.dev · May 23
Laravel-Lang Attack Compromises 233 Package Versions via GitHub Tags, Stealing Cloud and Browser Credentials
6 articles · Updated · aikido.dev · May 23
233 Laravel-Lang package versions across three repositories were found carrying credential-stealing code on May 22, and Packagist removed the malicious releases and temporarily unlisted the affected packages.
GitHub tags were the attack path: the malicious code was never committed to the official repositories, but tags were pointed to commits in an attacker-controlled fork, then loaded automatically through Composer's autoloader.
A dropper hidden in src/helpers.php contacts flipboxstudio.info, fetches a second-stage payload with SSL checks disabled, and runs it silently on Windows, Linux and macOS.
That payload is a roughly 5,900-line PHP stealer with 15 modules that encrypts and exfiltrates data including AWS, GCP and Azure credentials, SSH keys, .env files, browser passwords, VPN configs and crypto wallets.
The incident expands earlier reports of Laravel-Lang tag tampering by detailing a broader cross-platform theft operation and a GitHub tag mechanism that can bypass scrutiny of official repo commit history.
Did the same cybercrime group poison the Trivy and Laravel ecosystems just two months apart?
Will this attack force package managers to finally abandon version tags for secure cryptographic hashes?
How can you detect a self-deleting payload that steals secrets from your servers before it vanishes?
Inside the May 2026 Laravel-Lang Supply Chain Breach: 700+ Malicious Composer Versions and Ecosystem Fallout
Overview
Between May 22 and 23, 2026, the Laravel-Lang ecosystem suffered a major security breach when an attacker gained unauthorized access to critical infrastructure, such as organization-level credentials or release systems. This allowed the attacker to systematically rewrite repository tags across four key Composer packages—laravel-lang/lang, laravel-lang/attributes, laravel-lang/http-statuses, and laravel-lang/actions. Legitimate tags were redirected to malicious commits, with new malicious tags published rapidly. Each compromised version introduced a two-file change, adding an entry in composer.json and creating a src/helpers.php file, signaling a broad compromise of the Laravel-Lang release process.