Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer
700+ versions of Laravel-Lang PHP packages backdoored via rewritten git tags to silently steal credentials from cloud, CI/CD, and developer systems. Audit and rotate now.
What’s new: A supply chain attack has compromised multiple Laravel-Lang PHP packages, including laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. Over 700 versions were affected, with malicious code introduced through rewritten git tags. The attack enables a credential-stealing framework that executes automatically upon loading the compromised packages, targeting sensitive data across cloud services, CI/CD pipelines, and local systems.
Who’s affected
Developers and organisations using the compromised Laravel-Lang PHP packages are at risk, particularly those who have integrated these packages into production applications. The malware can exfiltrate credentials from cloud providers, CI/CD tools, and developer workstations silently.
What to do
- Immediately audit your projects for affected Laravel-Lang packages and remove any compromised versions.
- Monitor your systems and logs for unusual activity or signs of data exfiltration.
- Rotate credentials for cloud services, CI/CD platforms, and any other systems that may have been exposed.
- Implement protections against rewritten git tags — pin dependencies by commit hash where possible.
