Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer
Cybersecurity researchers have flagged a new software attack campaign that targets multiple PHP Laravel-Lang packages to deliver a complete identity theft framework.
Affected packages include –
- laravel-lang/lang
- laravel-lang/http-status
- laravel-lang/properties
- laravel-lang/actions
“The timing and pattern of the newly published tags points to a broader degradation of the Laravel Lang organization’s release process, rather than a malicious package version,” Socket said. “The tags were published in quick succession on May 22 and May 23, 2026, and multiple versions appeared in mere seconds.”
More than 700 versions associated with these packages have been identified, indicating automatic batch marking or republishing. It is suspected that an attacker may have gained access to organization-level information, repository automation, or release infrastructure.
The main exploit is found in a file named “src/helpers.php” embedded in version tags. It is mainly designed to put the fingers on the infected host and affect the external server (“flipboxstudio[.]info”) to retrieve PHP-based cross-platform loading that works on Windows, Linux, and macOS.
According to Aikido Security, the dropper brings the Visual Basic Script launcher to Windows and executes it with cscript. On Linux and macOS, it executes the payload with exec().
“Because this file [‘src/helpers.php’] registered in composer.json under autoload.files, the backdoor is automatically executed on every PHP request hosted by the vulnerable application,” explained Socket.
“The script generates a unique host tag (a MD5 hash that includes the directory path, system structure, and inode) to ensure that it only boots once per machine. This prevents unwanted execution and helps malware stay undetected after the first launch.”
A hacker is equipped to harvest various data from compromised systems and transfer it to the same server. This includes –
- IAM roles and identity instance by querying endpoints for cloud metadata
- Automatic authentication of the Google Cloud app
- Microsoft Azure access tokens and service key profiles
- Kubernetes Service Account tokens and Helm registration settings
- Validation tokens for DigitalOcean, Heroku, Vercel, Netlify, Railway and Fly.io
- HashiCorp Vault Tokens
- Tokens and configurations from Jenkins, GitLab Runners, GitHub Actions, CircleCI, TravisCI, and ArgoCD
- Seed phrases and files associated with crypto wallets (Electrum, Exodus, Atomic, Ledger Live, Trezor, Wasabi, and Sparrow) and extensions (MetaMask, Phantom, Trust Wallet, Ronin, Keplr, Solflare, and Rabby)
- Browser history, cookies, and login data from Google Chrome, Microsoft Edge, Mozilla Firefox, Brave, and Opera through Windows Embedded Base64 that can bypass Chromium’s application-bound encryption (ABE) protections
- Local vaults and browser extension data for 1Password, Bitwarden, LastPass, KeePass, Dashlane, and NordPass
- Saved sessions for PuTTY/WinSCP
- Windows Credential Manager for disposal
- WinSCP saved times
- RDP files
- Time tokens are associated with apps like Discord, Slack, and Telegram
- Data from Microsoft Outlook, Thunderbird, and popular FTP clients (FileZilla, WinSCP, and CoreFTP)
- Configuration and authentication files contain Docker auth tokens, SSH private keys, Git credentials, shell history files, database history files, Kubernetes cluster configuration, .env files, wp-config.php, and docker-compose.yml
- Environment variables are loaded into the PHP process
- Source control credentials from global and local .gitconfig, .git-credentials, and .netrc files
- VPN configuration and saved logs for OpenVPN, WireGuard, NetworkManager, and commercial VPNs like NordVPN, ExpressVPN, CyberGhost, and Mullvad
“The downloaded payload is ~5,900 PHP phishing queues, organized into fifteen special collector modules,” said Aikido researcher Ilyas Makari. “After collecting everything I could find, it encrypts the results with AES-256 and sends it to flipboxstudio.[.]info/exfil. It then removes them from the disk to limit forensic evidence.”
