Ddos 
Socketβs Threat Research Team has uncovered a sophisticated supply chain attack targeting PHP developers through Packagist, the primary package repository for the Laravel ecosystem. A threat actor operating under the handle nhattuanbl has been identified distributing a Remote Access Trojan (RAT) embedded within seemingly benign utility packages.
This campaign demonstrates a high level of social engineering, as the actor published three “clean” packages to establish a veneer of legitimacy before introducing the malicious code.
The investigation identified three specific packages used to propagate the infection:
- nhattuanbl/lara-helper: A utility package containing the primary RAT payload.
- nhattuanbl/simple-queue: An async queue package shipping the same identical malicious code.
- nhattuanbl/lara-swagger: A deceptive “clean” package that contains no malicious code itself but lists lara-helper as a hard dependency.
The use of lara-swagger is particularly devious. As researchers noted, “Installing this package silently pulls in the RAT automatically” because it explicitly requires the malicious lara-helper at dev-master. This pattern is described as “an effective way to slip past reviews focused only on the directly installed package”.
The RAT, delivered via src/helper.php, utilizes layered obfuscation to resist analysis, including “goto spaghetti” logic, hex-encoded strings, and randomized identifiers. Once activated during the application boot process, it spawns a detached background process to maintain a persistent connection to a command-and-control (C2) server.
The C2 server at helper[.]leuleu[.]net:2096 can issue a wide variety of commands to the compromised host:
| Command | Behavior |
|---|---|
ping |
Heartbeat, sent automatically every 60 seconds |
info |
Return full system reconnaissance to C2 |
cmd |
Run a shell command, return stdout |
powershell |
Run a PowerShell command, return stdout |
run |
Run a shell command in the background, no output returned |
screenshot |
Capture the screen usingΒ imagegrabscreen(), return as base64 PNG |
download |
Read a file from disk, return contents as base64 |
upload |
Write a file to disk from base64 data, set permissions toΒ 0777 |
stop |
Close the socket and exit |
Because the RAT runs in the same process as the web application, it inherits identical filesystem permissions and environment variables. This grants the threat actor access to “database credentials, API keys, and .env contents”.
The report warns that “Any Laravel application that installed lara-helper or simple-queue is running a persistent RAT”. While the C2 host was unresponsive at the time of publication, affected hosts remain at risk: “The RAT is still present on disk and retries the connection every 15 seconds indefinitely”.
Developers are urged to audit their composer.json files and immediately remove any packages authored by nhattuanbl.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
