Attackers compromised Laravel Lang localization packages and made legitimate-looking Composer installs fetch malware instead. The attackers rewrote existing GitHub release tags across laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and possibly laravel-lang/actions to point to malicious commits in a fork, affecting hundreds of historical versions; the payload drops a PHP stealer that targets cloud keys, CI/CD secrets, SSH keys, browser data, crypto wallets, and on Windows launches a helper executable dubbed DebugElevator to decrypt Chromium-based browser credentials.
Why it matters: Developers and organizations that installed these packages could have had passwords, cloud credentials, and deployment secrets stolen without realizing it. Treat this as urgent: identify affected installs, remove compromised versions, rotate any exposed secrets, and review developer and build systems for follow-on access.
Ionut Arghire
2026.05.25
99% relevant
This article covers the same Laravel-Lang package compromise and adds concrete details on the attack timeline, the four affected packages, the use of rewritten Git tags pointing to commits in a malicious fork, the C2 domain flipboxstudio[.]info, and the breadth of targeted secrets that defenders should rotate.
Lawrence Abrams
2026.05.23
100% relevant
This article establishes a distinct supply-chain attack centered on the Laravel Lang package ecosystem, with a specific compromise method (Git tag rewriting) and malware payload, and it does not match any existing tracked story.
← Back to all stories