Git tag hijack turns Laravel Lang releases into credential-stealing malware
TL;DR Summary
Attackers rewrote GitHub release tags across four Laravel Lang repositories to point to malicious commits, introducing a dropper in src/helpers.php that downloads a cross-platform credential stealer from flipboxstudio.info. The malware harvests cloud credentials, tokens, SSH keys, and more, with a Windows payload that drops a base64-encoded executable (DebugElevator) to steal browser data and encryption keys. Packagist removed the malicious versions; developers should audit installed versions, rotate credentials, scan for indicators of compromise, and watch for outbound connections to flipboxstudio.info.
Topics:technology#composer#credential-stealer#git-tag-hijack#laravel-lang#security#supply-chain-attack
- Laravel Lang packages hijacked to deploy credential-stealing malware BleepingComputer
- Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer Aikido Security
- Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer The Hacker News
- Laravel-Lang Supply Chain Attack: Every Tag Across Multiple Composer Packages Rewritten to Steal CI Secrets StepSecurity
- Active Exploitation Alert: Laravel Lang PHP Packages Compromised in Supply Chain Attack to Deploy Credential-Stealing Malware Rescana
Reading Insights
Total Reads
0
Unique Readers
9
Time Saved
4 min
vs 5 min read
Condensed
91%
898 → 79 words
Want the full story? Read the original article
Read on BleepingComputer