Supply Chain Attack Compromises Laravel Lang Packages with Credential Stealer

Supply Chain Attack Compromises Laravel Lang Packages with Credential Stealer

First seen 23 May 2026, 06:25 UTC Aikido.DevCybersecuritynewsGbhackersThehackernewsBleepingcomputer+12 88% similarity 71.0

Article Content

Browse articles
ThreatCluster

On May 22, 2026, a supply chain attack targeted Laravel Lang localization packages, compromising 233 versions across four repositories. Attackers exploited GitHub's version tagging system to redirect legitimate tags to malicious commits in a controlled fork. This allowed the injection of a credential-stealing malware via Composer's autoloader. The malware, which is capable of harvesting various sensitive data including cloud credentials and SSH keys, was delivered through a file named 'src/helpers.php'. Security firms Aikido and Socket confirmed the attack and reported it to GitHub and Packagist, leading to the removal of the malicious versions. The attack affects developers using the Laravel ecosystem, posing a significant risk to their environments. Current remediation efforts are in place to prevent further installations of the compromised packages.

Key Points: • 233 versions of Laravel Lang packages were compromised through a supply chain attack. • Attackers manipulated GitHub tags to distribute credential-stealing malware via Composer. • The malware can harvest sensitive data, including cloud credentials and SSH keys.

ThreatCluster AI

Timeline

2026-05-22
Supply chain attack detected
Aikido and Socket discovered a supply chain attack targeting Laravel Lang packages, compromising 233 versions.
Aikido.Dev
2026-05-22
Malicious versions reported
The attack was reported to GitHub and Packagist, leading to the removal of the malicious versions.
Aikido.Dev
2026-05-23
Public disclosure of attack
BleepingComputer and other outlets published details of the attack, highlighting its sophistication and impact.
Bleepingcomputer

Community

Browse all →