Supply chain

New supply chain attack targets Laravel PHP packages with credential stealer

Supply chain vulnerability being exploited through a cyber attack on text code in an editor.

According to The Hacker News, a new software supply chain attack campaign has been identified, targeting multiple PHP packages associated with Laravel-Lang to distribute a sophisticated credential-stealing framework.

The attack compromises the release process of Laravel-Lang, affecting packages like laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. Researchers suspect the attacker gained access to organization-level credentials or release infrastructure, evidenced by the rapid succession of over 700 malicious version tags published on May 22 and May 23, 2026. The core malicious code, embedded in a file named "src/helpers.php," fingerprints infected hosts and contacts an external server to download a cross-platform PHP payload.

This payload, executed automatically on every PHP request via composer's autoload.files, is designed to steal a vast array of sensitive information. This includes cloud credentials, authentication tokens from various platforms like DigitalOcean and Heroku, cryptocurrency wallet data, browser data from Chrome, Firefox, and Edge, password manager vaults, session tokens from applications like Discord and Slack, and configuration files containing API keys and database credentials. The collected data is encrypted using AES-256 and exfiltrated to a remote server before the malware self-deletes to hinder forensic analysis.

Source: The Hacker News

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds