A major supply chain attack has targeted the Laravel-Lang ecosystem, compromising 233 package versions across 700 GitHub repositories. The attackers inserted remote code execution backdoors capable of stealing credentials by manipulating GitHub's version tagging system without direct commits. This allowed them to distribute malware through Composer’s autoloader, providing them with complete remote access to developer environments. Discovered by cybersecurity firms Socket and Aikido in May 2026, the attack involved redirecting legitimate tags to a malicious fork, which executed the backdoor automatically when developers pulled the affected localization packages via Packagist. The malware, hidden using a sophisticated dropper disguised as a standard Laravel localization function, bypassed standard audits and inherited full web application permissions. It disabled SSL verification and fetched a secondary script from an obfuscated command-and-control server, launching it silently. The secondary payload was a PHP credential stealer with 15 specialized modules targeting sensitive developer secrets, including cloud metadata and database credentials. After collecting these secrets, the malware encrypted the data using AES-256 before exfiltrating it and deleting itself to evade detection. Security experts urge developers to immediately rotate all application secrets, database credentials, and API keys exposed to the compromised environments. Development teams should also inspect their composer.lock files to block affected packages and monitor outbound network traffic for suspicious activity. Systems running compromised packages should be rebuilt from known-good images to ensure the threat is completely eradicated.
Laravel-Lang Ecosystem Hit by Sophisticated Supply Chain Attack
Attacker-inserted backdoors via GitHub tags affected numerous Laravel-Lang packages. Audit dependencies and rotate credentials.


