cybersecuritynews.com web signal

Laravel-Lang packages hit 700+ repos with RCE backdoor

cybersecurity open source supply-chain-attack php composer credential-theft

Key insights

  • An attacker with push access rewrote 233 version tags across four Laravel-Lang packages in under 15 minutes on May 22.
  • The injected PHP payload targeted cloud keys, SSH credentials, crypto wallets, and passwords from 17 Chromium browsers before exfiltrating data.
  • Packagist delisted the affected versions promptly, but any CI/CD pipeline that pulled these packages during the window should rotate all secrets.

Why this matters

PHP's Composer ecosystem, like npm, relies on tag immutability as a foundational trust assumption, and this attack demonstrates that a single compromised maintainer account can silently rewrite that history across hundreds of downstream pipelines simultaneously. For AI teams running Laravel-backed APIs or tooling that depends on Composer packages, the credential stealer's explicit targeting of cloud keys means AWS, GCP, and Azure credentials used in model training or inference pipelines may have been exfiltrated. The attack's 15-minute execution window and immediate Packagist takedown reveal both how fast supply chain compromises can propagate and how little telemetry most teams have to detect tag rewrites in their dependency graphs.

Summary

A supply chain attacker with push access to the Laravel-Lang GitHub organization rewrote git tags across four widely-used Composer localization packages in a 15-minute window on May 22, poisoning 233 versions and reaching over 700 downstream repositories before detection. The mechanism was surgical: rather than altering source code directly, the attacker exploited GitHub's fork-referencing feature to inject a 5,900-line PHP credential stealer via Composer's autoloader. The malware targeted cloud provider keys, browser-saved passwords across 17 Chromium-based browsers, SSH keys, and crypto wallet data, then AES-256-encrypted the haul and exfiltrated it. Essentially: (Laravel-Lang maintainers, Packagist) are the blast radius here, with any CI/CD pipeline pulling these packages during that window potentially compromised. - Affected packages: laravel-lang/lang, http-statuses, attributes, and actions - Packagist immediately took down affected versions and temporarily unlisted the packages - Any secrets present in CI/CD environments during the exposure window should be considered stolen and rotated This attack is a reminder that Composer's trust model, like npm's, treats tag integrity as a proxy for package integrity, and that proxy breaks the moment a single maintainer account is compromised.

Potential risks and opportunities

Risks

  • Any Laravel application deployed via CI/CD between May 22 and Packagist's takedown that cached or resolved these tags may have cloud credentials, SSH keys, or database secrets actively in attacker hands right now.
  • Organizations that do not rotate secrets proactively after this disclosure face ongoing lateral movement risk if exfiltrated cloud keys grant access to training data stores, inference infrastructure, or customer data.
  • Other maintainers in the Laravel and broader PHP ecosystem face immediate social-engineering pressure as attackers may attempt to replicate the push-access vector against adjacent high-download packages on Packagist.

Opportunities

  • Supply chain security vendors with Composer and PHP coverage (Socket.dev, Phylum, Endor Labs) have a concrete, named incident to accelerate enterprise sales cycles in the PHP ecosystem.
  • Sigstore and similar cryptographic package-signing initiatives gain a strong reference case for requiring signed tags in Packagist, potentially accelerating adoption timelines for the PHP Foundation.
  • Secrets scanning and rotation platforms (GitGuardian, Doppler, HashiCorp Vault) can use this incident to drive adoption among Laravel shops that currently store credentials as plaintext environment variables in CI/CD.

What we don't know yet

  • Attribution is unconfirmed: how the attacker obtained push access to the Laravel-Lang GitHub organization has not been publicly disclosed as of May 23.
  • Scope of actual exploitation: Packagist delisted versions quickly, but which specific downstream projects or organizations pulled the poisoned tags during the 15-minute window remains unknown.
  • Whether GitHub has revoked the fork-referencing mechanism used to inject the payload, or issued guidance on preventing tag-rewrite attacks at the organization level.

Originally reported by cybersecuritynews.com

Read the original article →

Original headline: Laravel-Lang PHP Supply Chain Attack Poisons 700+ Composer Package Versions With RCE Backdoor and Credential Stealer