project: unknownMission Request
← Back to Data Breaches
Data Breaches5 min read

Laravel Lang Supply Chain Compromise: Backdoors, Credential Theft, and 700+ Affected Package Versions

Overview

Laravel Lang provides localization resources used by Laravel applications. According to Socket's analysis, the compromise involved newly published tags across several repositories in the same GitHub organization. The tags appeared rapidly on May 22 and May 23, 2026, with many versions created only seconds apart. This pattern suggested a broader compromise of release infrastructure rather than a single malicious version.

The primary risk came from malicious code placed in a helper file that was registered in Composer's autoload configuration. Composer can automatically load files listed in autoload.files when an application initializes its dependencies. Because of this, affected Laravel applications may have executed the backdoor during normal runtime without developers directly calling the malicious file.

How the Backdoor Worked

The malicious code was designed to retrieve and run a second-stage payload. It attempted to contact attacker-controlled infrastructure, download additional code, store it temporarily, and execute it in the background.

The attack was cross-platform. On Unix-like systems, the malware used PHP execution through system commands. On Windows systems, it used script execution techniques to launch the payload. This design allowed the backdoor to operate across developer laptops, servers, containers, and CI/CD environments.

The malware also used evasion techniques. It constructed some values dynamically at runtime, reduced obvious static indicators, and generated a host-specific marker so that execution would not repeat unnecessarily on the same machine.

Payload Capabilities

Socket described the second-stage payload as a cross-platform PHP information stealer targeting Linux, macOS, and Windows systems. Its goal was not limited to remote access. It was designed to collect credentials, secrets, configuration files, tokens, and sensitive local data from servers, containers, CI systems, and developer workstations.

The payload included collectors for:

  • Cloud credentials and metadata service access
  • Kubernetes tokens and Vault tokens
  • CI/CD secrets and pipeline credentials
  • Git credentials and SSH keys
  • Docker credentials and registry tokens
  • Environment variables and .env files
  • Browser data and password manager data
  • VPN profiles and cryptocurrency wallet files
  • Local application configuration files

This made the compromise especially serious because affected systems may have had access to production secrets, deployment credentials, cloud metadata services, and source control tokens.

Why Composer Autoload Made the Attack Dangerous

Composer's autoload feature is normally used to make package code available automatically. The autoload.files option is often used for helper functions that need to be loaded globally — small utilities that should be available across the application without explicit imports.

In this incident, the malicious helper file was placed where Composer would load it automatically during application initialization. That meant the package could execute code as part of normal application startup, before any application logic ran.

A dependency that appeared to provide localization files could therefore become a path to remote code execution and credential theft — triggered simply by running the application or a deployment pipeline that pulled fresh dependencies.

Affected Packages

Socket identified multiple Laravel Lang packages as affected or involved in the coordinated suspicious activity:

  • laravel-lang/lang
  • laravel-lang/http-statuses
  • laravel-lang/attributes
  • laravel-lang/actions

The activity affected hundreds of historical versions, with Socket describing the total scope as roughly 700+ compromised versions spread across these repositories.

Remediation Steps

Organizations using Laravel Lang packages should treat affected systems as potentially compromised. Removing the package alone is not enough, because secrets may already have been collected and exfiltrated before remediation.

Immediate response steps:

  • Review composer.lock for the affected packages (laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, laravel-lang/actions)
  • Remove or replace compromised versions and update to safe, verified releases
  • Rebuild affected hosts, containers, and CI runners from known-good images where possible
  • Preserve logs and artifacts before cleanup — do not wipe systems before capturing evidence

Credential rotation:

Security teams should rotate all credentials that may have been accessible from affected systems, including:

  • Cloud provider keys (AWS, Azure, GCP)
  • Kubernetes credentials and service account tokens
  • Vault tokens and secrets manager credentials
  • CI/CD platform secrets (GitHub Actions, GitLab, CircleCI, and similar)
  • Git provider tokens and personal access tokens
  • SSH keys
  • Docker registry credentials
  • Laravel application keys and database credentials
  • Webhook secrets and API keys stored in environment variables

Log sources to review:

Relevant evidence sources include Composer files and installation logs, deployment logs, DNS logs and outbound network connections from application hosts, cloud audit logs, Kubernetes audit logs, CI/CD job logs, and host-level process activity around the dates of May 22 and May 23, 2026.

Security Lessons

This incident shows how dependency compromise can become an infrastructure-level security issue. A localization package may seem low risk, but if it executes automatically through a package manager, it can expose production systems and developer environments to the same risks as a direct server compromise.

The compromise also highlights the importance of monitoring dependency changes. Sudden package updates, mass tag creation across a GitHub organization, unexpected changes to autoload.files, and new outbound network behavior from application processes should all be treated as warning signs requiring investigation.

Key takeaways for teams using Composer-based projects:

  • Pin dependencies using composer.lock and review it when upgrading
  • Audit `autoload.files` — files listed there execute on every request cycle
  • Monitor package activity for unusual release patterns, especially rapid multi-version publishing
  • Limit secret exposure in CI/CD environments to only the credentials each job needs
  • Establish a rapid rotation process for credentials when a trusted package becomes malicious

Open source security depends on more than package popularity. It requires dependency review, lockfile monitoring, runtime detection, least-privilege secret access, and a clear incident response process for the moment a package you trust is no longer trustworthy.

Sources: - Socket — Laravel Lang Compromise (full technical analysis)