Massive Laravel-Lang Breach Sparks Cross-Platform Credential Theft

May 24, 2026 at 07:34 AM

•

1 min read

Massive Laravel-Lang Breach Sparks Cross-Platform Credential Theft — Photo: The Hacker News

TL;DR Summary

Security researchers warn of a broad compromise of Laravel-Lang PHP packages (laravel-lang/lang, http-statuses, attributes, actions) that injected a malicious src/helpers.php into autoloaded vendor files. The attack involved rapid tagging of 700+ package versions in May 2026, suggesting access to the Laravel Lang release infrastructure. The embedded dropper runs on startup and delivers a ~5,900-line PHP credential stealer that exfiltrates cloud tokens, service credentials, browser data, VPN configs and more to flipboxstudio.info, encrypts results with AES-256, and self-deletes. Windows uses a Visual Basic Script launcher; Linux/macOS execute the payload via shell. Remediation includes auditing dependencies, rotating credentials, upgrading to clean versions, and monitoring for indicators of compromise.

Topics:technology #credential-theft #cybersecurity #laravel-lang #malware #php #supply-chain-attack

Share this article

Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer The Hacker News
Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer Aikido Security
Laravel-Lang Supply Chain Attack: Every Tag Across Multiple Composer Packages Rewritten to Steal CI Secrets StepSecurity
Hackers Compromised 233 Versions of Laravel-Lang Packages by Hacking 700 GitHub Repos CyberSecurityNews
Laravel Lang Supply Chain Advisory Snyk

Reading Insights

Total Reads

Unique Readers

Time Saved

5 min

vs 6 min read

Condensed

90%

1,085 → 106 words

Want the full story? Read the original article

Read on The Hacker News

JavaScript Required

tl;dr daily news requires JavaScript to be enabled. Please enable JavaScript in your browser settings.

Related Sources

Reading Insights