Feed
CriticalPublished 22 May 2026Updated 29 May 20264 packages · 0 versions

Laravel-Lang Composer packages — every git tag retargeted to a malicious fork commit

Summary

On 2026-05-22 an attacker with push access to the laravel-lang GitHub org retargeted every git tag in laravel-lang/lang, http-statuses, actions, and attributes to malicious fork commits. composer require/update then pulls a src/helpers.php backdoor, autoloaded on every PHP request, that exfiltrates cloud and CI/CD secrets to flipboxstudio.info.

account-takeoverci-cd-compromisecredential-theftinfostealercrypto-wallet-drainobfuscation
Detected by
Aikido · Socket · StepSecurity
Ecosystems
Packagist
Packages tracked
4

What happened

Between 23:41 and 23:56 UTC on 2026-05-22 (~15 minutes), an attacker with push access to the laravel-lang GitHub organisation rewrote every git tag across four widely-used Composer packages — laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/actions, and laravel-lang/attributes — to point at malicious commits. The malicious code was never committed to the official repositories: GitHub permits a tag to reference a commit that lives in a fork of the same repo, and the attacker abused this to retarget existing tags at commits in a fork they controlled. Packagist serves whatever commit a tag currently points at, so every published version became poisoned at once. Socket reported the backdoor reached 700+ versions across the four packages.

The payload lives in a file named src/helpers.php, added to each malicious commit and registered in composer.json under autoload.files. Because Composer eagerly loads autoload.files entries, the backdoor executes on every PHP request handled by a compromised application — not just at install time. Its Stealer class initialises roughly 17 distinct collectors, each targeting a category of secrets (cloud provider credentials, SSH keys, environment variables, database connection strings, CI/CD and registry tokens, browser data, crypto wallets) using a large dictionary of regular expressions to scrape files, databases, and env vars. Harvested data is bundled, encrypted, and exfiltrated to the C2 domain flipboxstudio.info. The malicious commits carry the placeholder author identity Your Name <you@example.com>.

Scope spans all four packages, which together are heavily used across the Laravel ecosystem — laravel-lang/http-statuses alone has ~3.6M total installs. Socket confirmed the backdoor in laravel-lang/lang@14.3.7 specifically, and the tag rewrite means all historical versions resolve to the payload; there is no safe tag, only safe commit SHAs predating the rewrite. The cleanest state is an existing composer.lock that pins each package to a commit hash from before 2026-05-22 23:41 UTC.

Mechanically this is the same tag-hijack class seen in the 2026-05-19 actions-cool GitHub Actions compromise and the GlassWorm Open VSX sleeper attacks: mutable references retargeted to attacker-controlled commits. Attribution here is open — the C2 (flipboxstudio.info) differs from the t.m-kosche.com infrastructure tied to TeamPCP/Mini Shai-Hulud, and no vendor has publicly attributed this campaign to a named actor as of 2026-05-23. Packagist responded by taking down the malicious versions and temporarily unlisting the affected packages to halt further installs; the upstream maintainers are tracking remediation in Laravel-Lang/http-statuses issue #277.

Affected packages (4)

  • Packagistlaravel-lang/actions
  • Packagistlaravel-lang/attributes
  • Packagistlaravel-lang/http-statuses
  • Packagistlaravel-lang/lang

Impact

  • Credential theft at install AND at runtime: src/helpers.php is registered in composer.json under autoload.files, so the backdoor runs on every PHP request — not only during composer install
  • A stealer with ~17 collectors scrapes AWS / GCP / Azure keys, SSH keys, .env secrets, database credentials, CI/CD and registry tokens, browser data, and crypto wallets, then exfiltrates them to flipboxstudio.info
  • Every tag is poisoned (Socket counted 700+ versions across the four packages), so version constraints, semver ranges, and floating tags are all bypassed — only a pin to a known-clean commit SHA resists
  • composer update against ANY constraint, and fresh composer require, both pull the payload; an existing composer.lock pinned to a clean commit hash is the only safe state
  • The autoloaded backdoor yields remote code execution on any host or CI runner that installs an affected version

What to do

  1. 1Audit composer.lock and composer.json for laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/actions, and laravel-lang/attributes
  2. 2Pin affected packages to a verified-clean commit SHA predating 2026-05-22 23:41 UTC, or remove them until clean re-releases are confirmed — do NOT trust any tag/version constraint
  3. 3Treat any host, CI runner, or developer machine that ran composer install/update on or after 2026-05-22 23:41 UTC as compromised
  4. 4Rotate every secret reachable from those hosts: AWS/GCP/Azure keys, SSH keys, database credentials, CI/CD and npm/registry tokens, crypto-wallet keys, and browser-stored credentials
  5. 5Block egress to flipboxstudio.info on all CI/CD and production network paths; alert on outbound HTTPS to that host
  6. 6Grep deployed vendor trees for an unexpected vendor/laravel-lang/*/src/helpers.php and an autoload.files entry referencing it
  7. 7Adopt commit-SHA pinning / Composer integrity verification for critical dependencies — git tags are mutable and this attack class will recur

References

packagist-2026-05-22-laravel-lang-tag-hijack