Laravel packages compromised with backdoor

Socket Security and Aikido said on May 23 that attackers compromised the community-run Laravel-Lang package ecosystem by rewriting release tags across widely used Composer packages, causing historical installs to fetch malicious code instead of the original versions. The affected repositories included `laravel-lang/lang`, `laravel-lang/http-statuses`, `laravel-lang/attributes` and `laravel-lang/actions`, according to Socket and StepSecurity. Both firms said the packages are not part of the official Laravel framework, but are popular third-party localization components used in Laravel applications. ### How did old package versions become malicious? StepSecurity said the attacker did not publish a single new bad release. Instead, the attacker rewrote existing git tags so that version references across multiple repositories pointed to malicious commits between 23:41 UTC and 23:56 UTC on May 22. The firm said the pattern suggested one actor with organization-wide push access or equivalent control over release infrastructure. (socket.dev) Aikido said GitHub permits version tags to point to commits in a fork of the same repository, and that the attacker used that behavior so the malicious code was “never committed to the official repos at all.” That let package managers resolve apparently legitimate versions to attacker-controlled code. ### What made the payload dangerous in normal Laravel and PHP apps? (stepsecurity.io) Socket said its analysis of `composer/laravel-lang/lang@14.3.7` found a malicious `src/helpers.php` file registered under `autoload.files` in `composer.json`. StepSecurity said that meant the payload could run automatically when applications loaded Composer’s autoloader, which is standard behavior in Laravel and Symfony projects. Aikido said the first-stage code contacted `flipboxstudio.info`, fetched a second payload with SSL verification disabled, and then launched it differently depending on the operating system. (aikido.dev) StepSecurity said its detonation of one affected package in an isolated GitHub Actions runner showed the malware exfiltrated environment data, dropped additional files into `/tmp`, and then removed artifacts to hinder forensics. (socket.dev) ### What information were the attackers trying to steal? Aikido said the second-stage payload was a roughly 5,900-line PHP credential stealer that encrypted and sent collected data back to the same domain. The firm said the malware targeted AWS, Google Cloud and Azure credentials, along with tokens from services including DigitalOcean, Heroku, Vercel, Netlify, Railway and Fly.io. (aikido.dev) GitHub issue reports filed in the affected repositories said users running `composer require` or `composer update` against impacted packages could pull code that exfiltrated CI/CD secrets to an attacker-controlled domain. The issue for `laravel-lang/http-statuses` listed `flipboxstudio.info` as the command-and-control domain and said `composer.json` and `src/helpers.php` were modified in every malicious commit. (aikido.dev) ### How broad was the compromise? Socket said the compromise spanned roughly 700-plus historical versions across the Laravel-Lang organization. Aikido separately said 233 versions were compromised across three repositories it tracked, while StepSecurity said every tag in at least three packages had been rewritten and that there was “no safe version to pin to today” other than a pre-May 22 commit SHA independently verified by users. The differing counts appear to reflect different package sets and counting methods described by each firm. (github.com) The incident came days after GitHub disclosed unauthorized access to about 3,800 internal repositories following a poisoned VS Code extension on an employee device, according to GitHub’s security blog. GitHub said the attacker’s claim of around 3,800 repositories was “directionally consistent” with its investigation. ### What are maintainers and users being told to do now? (socket.dev) Packagist responded by taking down malicious versions and temporarily unlisting the affected packages, Aikido said. GitHub security issues opened on May 23 urged users to stop fresh installs and updates, verify dependency integrity against known-good commits, and assume secrets exposed on infected machines may need rotation. (github.blog) Socket’s public warning on X and its blog told developers not to trust blind Composer or npm installs during active supply-chain incidents. StepSecurity said maintainers were filing security issues across the repositories and updating recovery guidance as the investigation continued on May 23. (socket.dev) (aikido.dev)