Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer

A supply chain attack has compromised four Laravel-Lang PHP packages used by thousands of developers. Attackers injected malicious code into laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions to distribute a cross-platform credential stealer.

The malicious versions spread through legitimate package repositories after attackers gained access to the Laravel-Lang project. Any developer who installed or updated to the compromised versions unknowingly incorporated the credential-stealing framework into their applications. The stealer targets sensitive data including API keys, database credentials, authentication tokens, and environment variables stored in configuration files.

This attack exemplifies a critical vulnerability in open-source ecosystems. Attackers bypass traditional network defenses by poisoning trusted code libraries at the source. Applications built with infected packages become attack vectors themselves, potentially exposing data from every system that deploys them.

The Laravel-Lang packages reach a broad audience. The laravel-lang/lang repository alone has millions of downloads. Developers using these packages across web applications, backend services, and DevOps tools all face compromise risk. Threat actors harvested credentials from infected systems for lateral movement, privilege escalation, or sale on underground markets.

Security researchers identified the attack through anomalous code patterns in newly published package versions. The timing and deployment methodology suggest a coordinated operation targeting the PHP development community specifically.

Organizations using Laravel-Lang packages should immediately audit their dependencies and pull request logs. Developers must regenerate all credentials potentially exposed through compromised installations, including database passwords, API keys, and authentication secrets. Scanning application code for the injected malicious payload is essential. Package maintainers should enforce stricter access controls and implement code review processes for all releases.

This incident reinforces the need for Software Bill of Materials (SBOM) tracking, dependency scanning tools, and runtime integrity