Laravel Lang packages hijacked to deploy credential-stealing malware

Attackers compromised the Laravel Lang localization packages on GitHub and deployed credential-stealing malware through Composer, the PHP dependency manager. The threat actors exploited GitHub version tags to distribute poisoned code to developers who installed affected packages.

Laravel Lang provides localization files for the Laravel web framework. Developers use Composer to pull these packages into their projects as dependencies. The attackers hijacked the package repository and injected malicious code into specific versions, making the malware appear legitimate when developers ran standard installation commands.

The malware functions as an information stealer. Once executed during package installation or application runtime, it extracts sensitive credentials. Targeted data includes API keys, database passwords, environment variables, and authentication tokens stored in configuration files. This stolen information grants attackers direct access to backend systems, databases, and cloud infrastructure.

Supply chain attacks like this are particularly effective because developers trust established open source projects. Few developers manually review all code from every dependency their projects import. The attack surface spans thousands of projects that depend on Laravel Lang for multilingual application support.

The incident exploits a common weakness in PHP package distribution. Many developers run `composer install` or `composer update` without pinning specific package versions, automatically pulling the latest available tag. Attackers weaponized this behavior by pushing malicious versions to the public repository where they remained accessible until discovery.

Organizations using Laravel and Composer should immediately audit their dependency trees. Check for any installations of affected Laravel Lang versions and verify no unauthorized code execution occurred. Review environment files, configuration repositories, and credential management systems for signs of compromise or access by unknown parties.

Remediation requires updating to patched versions once publishers release fixes and authenticating that repositories remain under legitimate control. Implementing dependency scanning tools and restricting package version updates to manual, reviewed deployments can prevent similar attacks. Organizations should also rotate any credentials that may have been exposed through compromised development environments.