A supply chain attack compromised Laravel Lang localization packages by rewriting existing GitHub tags across four repositories rather than publishing new malicious versions, affecting up to 700 historical releases. Attackers exploited a GitHub feature allowing tags to point to commits in forked repositories, making compromised versions appear as legitimate releases when installed via Composer. The injected helpers.php file downloaded a second-stage PHP payload from flipboxstudio.info that harvested cloud credentials, Kubernetes secrets, Git credentials, SSH keys, browser data, cryptocurrency wallets, and password managers.
The malware also extracted patterns for AWS keys, GitHub tokens, Slack tokens, database credentials, and recovery phrases across Linux, macOS, and Windows systems. On Windows, the PHP payload dropped a base64-encoded executable named DebugElevator that targeted Chrome, Brave, and Edge to extract App-Bound Encryption keys. A PDB path referencing a Windows account named "Mero" and containing "claude" suggests possible AI assistance in developing the Windows malware.
The affected packages include laravel-lang/lang, http-statuses, attributes, and possibly actions. StepSecurity noted all four repositories shared the same fake author identity, modified files, and payload behavior, pointing to a single compromised account with org-wide push access. Packagist removed the malicious versions and temporarily unlisted affected packages. Developers using Laravel Lang packages should rotate exposed credentials and inspect for outbound connections to flipboxstudio.info. The Laravel Lang packages are third-party localizations and not part of the official Laravel project.
Read more...