Laravel supply-chain malware emerges
What happened
- Aikido Security and Socket said attackers rewrote Laravel-Lang package tags on May 22-23, 2026, turning trusted Composer installs into credential-stealing malware delivery. (aikido.dev) - The most telling detail was the mechanism: 233 poisoned versions across four packages loaded `src/helpers.php` automatically through Composer’s `autoload.files` behavior. (aikido.dev) - Packagist removed malicious versions and temporarily unlisted affected packages; maintainers and researchers are tracking clean releases and exposure in repository issues. (aikido.dev)
Why it matters
A supply-chain attack on the Laravel-Lang ecosystem turned routine PHP dependency installs into a credential-theft event. Aikido Security said it detected the attack on May 22, 2026, after malicious version tags appeared across Laravel-Lang packages distributed through Composer and Packagist. Socket said the compromise affected community-maintained localization packages, not the official Laravel framework itself. (aikido.dev) Researchers said the attack worked by rewriting existing Git tags so trusted package versions resolved to attacker-controlled commits. ### How did the attacker get malicious code into old package versions? On May 22 and May 23, attackers republished historical release tags for four Laravel-Lang packages: `laravel-lang/lang`, `laravel-lang/http-statuses`, `laravel-lang/attributes`, and `laravel-lang/actions`, according to Socket and Mend. (aikido.dev) Rather than push malware into the visible default branches, the attacker pointed tags at orphaned malicious commits from a fork, Aikido said. StepSecurity said the tag rewrites began at 22:32 UTC on May 22 and spread across all four repositories within about 15 minutes. Mend said every malicious commit used the same pattern: a change to `composer.json` and a new `src/helpers.php` file. (aikido.dev) ### Why did `helpers.php` run without a developer calling it? Socket said the malicious `src/helpers.php` file was registered under Composer’s `autoload.files` setting. Mend said files listed there are loaded immediately when an application requires `vendor/autoload.php`, unlike PSR-4 classes that load only when referenced. Aikido said the file looked benign at first, defining localization helper functions before running a self-executing block of code. That code created a host-specific marker so it would fire once, reconstructed the command-and-control domain at runtime, and fetched a second-stage payload with SSL verification disabled, the researchers said. (aikido.dev) ### What data was the malware trying to steal? (stepsecurity.io) Aikido said the second stage was a roughly 5,900-line PHP credential stealer that encrypted collected data and sent it to `flipboxstudio[.]info/exfil`. The firm said the malware searched for AWS keys and tokens, Google Cloud and Azure credentials, Kubernetes and HashiCorp Vault secrets, SSH keys, CI/CD secrets, and tokens from platforms including DigitalOcean, Heroku, Vercel, Netlify, Railway and Fly.io. (socket.dev) Snyk said environments that pulled affected versions should be treated as compromised until proven otherwise. The firm said the stealer also targeted environment files, browser data, password-manager vaults, messaging tokens and other developer secrets stored on workstations or build systems. (aikido.dev) ### Why does this incident stand out from a typical open-source compromise? Socket said the affected packages were third-party Laravel localization libraries, but the delivery path exploited a trust assumption common in package management: that old version tags still point to the same code. StepSecurity said there was “no safe version to pin to” during the incident unless teams verified a pre-May 22 commit SHA independently, because every tag in the affected repositories had been rewritten. (aikido.dev) Aikido said the malicious code was never committed to the official repositories’ visible history. That meant users relying on familiar version numbers could still fetch poisoned code during a fresh install or update. (snyk.io) ### What should affected teams look at now? Packagist took down malicious versions and temporarily unlisted the affected packages after Aikido reported the incident, the firm said. StepSecurity said maintainers were notified through security issues across the four repositories. Snyk and other researchers said teams should review `composer.lock`, Composer cache contents, CI runner logs and outbound network traffic for the affected install window on May 22-23. (socket.dev) Researchers are continuing to publish indicators of compromise, affected version ranges and remediation guidance through their incident write-ups and linked repository issues. (snyk.io) (aikido.dev)
Key numbers
- Aikido Security and Socket said attackers rewrote Laravel-Lang package tags on May 22-23, 2026, turning trusted Composer installs into credential-stealing malware delivery.
- (aikido.dev) The most telling detail was the mechanism: 233 poisoned versions across four packages loaded src/helpers.php automatically through Composer’s autoload.files behavior.
- Aikido Security said it detected the attack on May 22, 2026, after malicious version tags appeared across Laravel-Lang packages distributed through Composer and Packagist.
- On May 22 and May 23, attackers republished historical release tags for four Laravel-Lang packages: laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions, according to Socket and Mend.
What happens next
- Aikido Security said it detected the attack on May 22, 2026, after malicious version tags appeared across Laravel-Lang packages distributed through Composer and Packagist.
- On May 22 and May 23, attackers republished historical release tags for four Laravel-Lang packages: laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions, according to Socket and Mend.
- StepSecurity said the tag rewrites began at 22:32 UTC on May 22 and spread across all four repositories within about 15 minutes.
Quick answers
What happened in Laravel supply-chain malware emerges?
Aikido Security and Socket said attackers rewrote Laravel-Lang package tags on May 22-23, 2026, turning trusted Composer installs into credential-stealing malware delivery. (aikido.dev) The most telling detail was the mechanism: 233 poisoned versions across four packages loaded src/helpers.php automatically through Composer’s autoload.files behavior. (aikido.dev) Packagist removed malicious versions and temporarily unlisted affected packages; maintainers and researchers are tracking clean releases and exposure in repository issues. (aikido.dev)
Why does Laravel supply-chain malware emerges matter?
A supply-chain attack on the Laravel-Lang ecosystem turned routine PHP dependency installs into a credential-theft event. Aikido Security said it detected the attack on May 22, 2026, after malicious version tags appeared across Laravel-Lang packages distributed through Composer and Packagist. Socket said the compromise affected community-maintained localization packages, not the official Laravel framework itself. (aikido.dev) Researchers said the attack worked by rewriting existing Git tags so trusted package versions resolved to attacker-controlled commits. How did the attacker get malicious code into old package versions? On May 22 and May 23, attackers republished historical release tags for four Laravel-Lang packages: laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions, according to Socket and Mend. (aikido.dev) Rather than push malware into the visible default branches, the attacker pointed tags at orphaned malicious commits from a fork, Aikido said. StepSecurity said the tag rewrites began at 22:32 UTC on May 22 and spread across all four repositories within about 15 minutes. Mend said every malicious commit used the same pattern: a change to composer.json and a new src/helpers.php file. (aikido.dev) Why did helpers.php run without a developer calling it? Socket said the malicious src/helpers.php file was registered under Composer’s autoload.files setting. Mend said files listed there are loaded immediately when an application requires vendor/autoload.php, unlike PSR-4 classes that load only when referenced. Aikido said the file looked benign at first, defining localization helper functions before running a self-executing block of code. That code created a host-specific marker so it would fire once, reconstructed the command-and-control domain at runtime, and fetched a second-stage payload with SSL verification disabled, the researchers said. (aikido.dev) What data was the malware trying to steal? (stepsecurity.io) Aikido said the second stage was a roughly 5,900-line PHP credential stealer that encrypted collected data and sent it to flipboxstudio[.]info/exfil. The firm said the malware searched for AWS keys and tokens, Google Cloud and Azure credentials, Kubernetes and HashiCorp Vault secrets, SSH keys, CI/CD secrets, and tokens from platforms including DigitalOcean, Heroku, Vercel, Netlify, Railway and Fly.io. (socket.dev) Snyk said environments that pulled affected versions should be treated as compromised until proven otherwise. The firm said the stealer also targeted environment files, browser data, password-manager vaults, messaging tokens and other developer secrets stored on workstations or build systems. (aikido.dev) Why does this incident stand out from a typical open-source compromise? Socket said the affected packages were third-party Laravel localization libraries, but the delivery path exploited a trust assumption common in package management: that old version tags still point to the same code. StepSecurity said there was “no safe version to pin to” during the incident unless teams verified a pre-May 22 commit SHA independently, because every tag in the affected repositories had been rewritten. (aikido.dev) Aikido said the malicious code was never committed to the official repositories’ visible history. That meant users relying on familiar version numbers could still fetch poisoned code during a fresh install or update. (snyk.io) What should affected teams look at now? Packagist took down malicious versions and temporarily unlisted the affected packages after Aikido reported the incident, the firm said. StepSecurity said maintainers were notified through security issues across the four repositories. Snyk and other researchers said teams should review composer.lock, Composer cache contents, CI runner logs and outbound network traffic for the affected install window on May 22-23. (socket.dev) Researchers are continuing to publish indicators of compromise, affected version ranges and remediation guidance through their incident write-ups and linked repository issues. (snyk.io) (aikido.dev)
