Laravel-Lang Packages Poisoned for Malware Delivery

Supply Chain Security Laravel-Lang Packages Poisoned for Malware Delivery Published within a 15-minute window, the malicious tags introduced backdoors to exfiltrate CI secrets. By Ionut Arghire | May 25, 2026 (6:41 AM ET) Flipboard Reddit Whatsapp Whatsapp Email Four popular Composer packages maintained by the Laravel-Lang organization were poisoned with malware after hackers rewrote all their Git tags, security researchers warn. The affected packages, namely laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions , are third-party localization libraries used by Laravel applications. The Laravel-Lang supply chain attack started on May 22. During a 15-minute window, the attackers published malicious version tags across three of the packages, StepSecurity says. By 00:00 UTC, May 23, all four packages had been poisoned. “The timing and pattern of the newly published tags point to a broader compromise of the Laravel Lang organization’s release process, rather than a single malicious package version,” Socket notes. According to the supply chain security firm, the malicious tags were published across over 700 historical versions of the four packages, potentially impacting all applications that fetched updates for them or installed them fresh. “What makes this particularly sneaky is that the malicious code was never committed to the official repos at all. GitHub allows version tags to point to commits from a fork of the same repository. The attacker exploited this to create tags pointed to commits in a malicious fork they controlled,” Aikido Security explains. Advertisement. Scroll to continue reading. The malicious version tags contained a file named src/helpers.php , posing as a Laravel localization helper. The code fingerprints the machine, then connects to the command-and-control (C&C) domain flipboxstudio[.]info to fetch a PHP credential stealer and execute it in the background. The malware was designed to harvest cloud key