According to The Hacker News, a new software supply chain attack campaign has been identified, targeting multiple PHP packages associated with Laravel-Lang to distribute a sophisticated credential-stealing framework.The attack compromises the release process of Laravel-Lang, affecting packages like laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. Researchers suspect the attacker gained access to organization-level credentials or release infrastructure, evidenced by the rapid succession of over 700 malicious version tags published on May 22 and May 23, 2026. The core malicious code, embedded in a file named "src/helpers.php," fingerprints infected hosts and contacts an external server to download a cross-platform PHP payload.This payload, executed automatically on every PHP request via composer's autoload.files, is designed to steal a vast array of sensitive information. This includes cloud credentials, authentication tokens from various platforms like DigitalOcean and Heroku, cryptocurrency wallet data, browser data from Chrome, Firefox, and Edge, password manager vaults, session tokens from applications like Discord and Slack, and configuration files containing API keys and database credentials. The collected data is encrypted using AES-256 and exfiltrated to a remote server before the malware self-deletes to hinder forensic analysis.Source: The Hacker News
Supply chain
New supply chain attack targets Laravel PHP packages with credential stealer

(Adobe Stock)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



