Aikido.Dev
Supply Chain Attack Compromises Laravel Lang Packages with Credential Stealer
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
On May 22, 2026, a supply chain attack targeted Laravel Lang localization packages, compromising 233 versions across four repositories. Attackers exploited GitHub's version tagging system to redirect legitimate tags to malicious commits in a controlled fork. This allowed the injection of a credential-stealing malware via Composer's autoloader. The malware, which is capable of harvesting various sensitive data including cloud credentials and SSH keys, was delivered through a file named 'src/helpers.php'. Security firms Aikido and Socket confirmed the attack and reported it to GitHub and Packagist, leading to the removal of the malicious versions. The attack affects developers using the Laravel ecosystem, posing a significant risk to their environments. Current remediation efforts are in place to prevent further installations of the compromised packages.
Key Points: • 233 versions of Laravel Lang packages were compromised through a supply chain attack. • Attackers manipulated GitHub tags to distribute credential-stealing malware via Composer. • The malware can harvest sensitive data, including cloud credentials and SSH keys.