Supply Chain Storm: Over 700 Laravel Lang Versions Poisoned with Malicious RCE Backdoor

A major software supply-chain storm is brewing in the PHP ecosystem. Security firm Socket has exposed a sweeping compromise targeting the community-maintained Laravel Lang GitHub organization. The intrusion has injected malicious remote code execution (RCE) backdoors across roughly 700+ historical versions of widely used localization packages.

To clarify the scope, Socket’s report notes:

“The affected packages are not part of the official Laravel framework. They are third-party localization packages used by Laravel applications.”

Despite being third-party, the danger to production environments is massive. Any application installing the compromised versions will automatically execute the malicious code the second Composer’s autoloader initializes.

Coordinated Automation: The Attack Pattern

On May 22 and May 23, 2026, defenders tracked a highly unusual pattern of rapid-fire tag publishing across multiple repositories in the organization, including laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions.

According to Socket’s analysis:

“Many of these tags were created seconds apart, a pattern that is unusual for normal package maintenance and consistent with automated mass tagging or republishing.”

This high-speed automation points to a broad breach of the organization’s release infrastructure or credential store, rather than an isolated incident on a single repository.

Under the Hood: The Multi-Stage Infection

The primary infection vector is hidden within src/helpers.php. Because this file hooks directly into composer.json under autoload.files , “the backdoor is executed automatically on every PHP request handled by the compromised application.”

The execution chain relies on several deliberate stealth tactics:

• C2 Deobfuscation: The script avoids static string scanners by dynamically rebuilding its Command and Control (C2) hostname (flipboxstudio[.]info) at runtime using character codes.
• Payload Retrieval: It reaches out to pull down a second-stage payload, explicitly disabling TLS verification to bypass potential security proxy interceptions.
• Cross-Platform Execution: The downloaded script places itself in a hidden temp directory and executes in the background—using native background PHP executions on Unix systems, or utilizing cscript to deploy a .vbs script on Windows.

The Real Menace: A 17-Collector Info-Stealer

Once the second stage drops, it reveals itself to be a highly advanced, cross-platform credential harvesting framework rather than a simple command shell. It initializes 17 distinct “Collectors” designed to completely scrape infected systems:

• Cloud & Infrastructure: Targets local configurations and queries cloud metadata endpoints (like AWS EC2 IMDS) to steal IAM roles and environment variables from Azure, Google Cloud, and Heroku.
• DevOps Pipelines & Secrets: Dumps Kubernetes Service Account tokens, strips local kubeconfig configurations, recursively queries HashiCorp Vault APIs, and pillages build servers like Jenkins and GitHub Actions.
• Local Wallets & Browsers: Scans for cryptocurrency seed files and utilizes an embedded Windows executable (DebugChromium.exe) explicitly crafted to bypass modern Chrome App-Bound Encryption to strip master keys and saved browser credentials.

Incident Response Action Items

From senior CISOs overseeing infrastructure to junior administrators maintaining standalone applications, immediate action is required. Affected systems must be treated as actively compromised.

• Audit and Block: Inspect your composer.lock files immediately for any laravel-lang packages and block updates until verified clean releases are published.
• Rotate Everything: Because the stealer targets nearly every tier of infrastructure credentials, you must thoroughly rotate cloud keys, Kubernetes tokens, Vault secrets, SSH keys, database passwords, and your application’s APP_KEY.
• Purge and Rebuild: Rebuild compromised application hosts, containers, and CI runners entirely from known-good images.
• Preserve Evidence: Ensure you preserve process execution logs, composer.lock artifacts, network/DNS logs, and temporary directory contents for deeper forensic reviews.