Laravel-Lang Composer packages — every git tag retargeted to a malicious fork commit
On 2026-05-22 an attacker with push access to the laravel-lang GitHub org retargeted every git tag in laravel-lang/lang, http-statuses, actions, and attributes to malicious fork commits. composer require/update then pulls a src/helpers.php backdoor, autoloaded on every PHP request, that exfiltrates cloud and CI/CD secrets to flipboxstudio.info.
- Detected by
- Aikido · Socket · StepSecurity
- Ecosystems
- Packagist
- Packages tracked
- 4
What happened
Between 23:41 and 23:56 UTC on 2026-05-22 (~15 minutes), an attacker with push access to the laravel-lang GitHub organisation rewrote every git tag across four widely-used Composer packages — laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/actions, and laravel-lang/attributes — to point at malicious commits. The malicious code was never committed to the official repositories: GitHub permits a tag to reference a commit that lives in a fork of the same repo, and the attacker abused this to retarget existing tags at commits in a fork they controlled. Packagist serves whatever commit a tag currently points at, so every published version became poisoned at once. Socket reported the backdoor reached 700+ versions across the four packages.
The payload lives in a file named src/helpers.php, added to each malicious commit and registered in composer.json under autoload.files. Because Composer eagerly loads autoload.files entries, the backdoor executes on every PHP request handled by a compromised application — not just at install time. Its Stealer class initialises roughly 17 distinct collectors, each targeting a category of secrets (cloud provider credentials, SSH keys, environment variables, database connection strings, CI/CD and registry tokens, browser data, crypto wallets) using a large dictionary of regular expressions to scrape files, databases, and env vars. Harvested data is bundled, encrypted, and exfiltrated to the C2 domain flipboxstudio.info. The malicious commits carry the placeholder author identity Your Name <you@example.com>.
Scope spans all four packages, which together are heavily used across the Laravel ecosystem — laravel-lang/http-statuses alone has ~3.6M total installs. Socket confirmed the backdoor in laravel-lang/lang@14.3.7 specifically, and the tag rewrite means all historical versions resolve to the payload; there is no safe tag, only safe commit SHAs predating the rewrite. The cleanest state is an existing composer.lock that pins each package to a commit hash from before 2026-05-22 23:41 UTC.
Mechanically this is the same tag-hijack class seen in the 2026-05-19 actions-cool GitHub Actions compromise and the GlassWorm Open VSX sleeper attacks: mutable references retargeted to attacker-controlled commits. Attribution here is open — the C2 (flipboxstudio.info) differs from the t.m-kosche.com infrastructure tied to TeamPCP/Mini Shai-Hulud, and no vendor has publicly attributed this campaign to a named actor as of 2026-05-23. Packagist responded by taking down the malicious versions and temporarily unlisting the affected packages to halt further installs; the upstream maintainers are tracking remediation in Laravel-Lang/http-statuses issue #277.
Affected packages (4)
- Packagist
laravel-lang/actions - Packagist
laravel-lang/attributes - Packagist
laravel-lang/http-statuses - Packagist
laravel-lang/lang
Impact
- Credential theft at install AND at runtime:
src/helpers.phpis registered incomposer.jsonunderautoload.files, so the backdoor runs on every PHP request — not only duringcomposer install - A stealer with ~17 collectors scrapes AWS / GCP / Azure keys, SSH keys,
.envsecrets, database credentials, CI/CD and registry tokens, browser data, and crypto wallets, then exfiltrates them toflipboxstudio.info - Every tag is poisoned (Socket counted 700+ versions across the four packages), so version constraints, semver ranges, and floating tags are all bypassed — only a pin to a known-clean commit SHA resists
composer updateagainst ANY constraint, and freshcomposer require, both pull the payload; an existingcomposer.lockpinned to a clean commit hash is the only safe state- The autoloaded backdoor yields remote code execution on any host or CI runner that installs an affected version
What to do
- 1Audit
composer.lockandcomposer.jsonforlaravel-lang/lang,laravel-lang/http-statuses,laravel-lang/actions, andlaravel-lang/attributes - 2Pin affected packages to a verified-clean commit SHA predating 2026-05-22 23:41 UTC, or remove them until clean re-releases are confirmed — do NOT trust any tag/version constraint
- 3Treat any host, CI runner, or developer machine that ran
composer install/updateon or after 2026-05-22 23:41 UTC as compromised - 4Rotate every secret reachable from those hosts: AWS/GCP/Azure keys, SSH keys, database credentials, CI/CD and npm/registry tokens, crypto-wallet keys, and browser-stored credentials
- 5Block egress to
flipboxstudio.infoon all CI/CD and production network paths; alert on outbound HTTPS to that host - 6Grep deployed vendor trees for an unexpected
vendor/laravel-lang/*/src/helpers.phpand anautoload.filesentry referencing it - 7Adopt commit-SHA pinning / Composer integrity verification for critical dependencies — git tags are mutable and this attack class will recur