
CRITICAL LARAVEL LANG SUPPLY CHAIN COMPROMISE Cross Platform PHP Credential Stealer Campaign
supply-chainPHPcredential-theftMegalodonCI/CD
Currently unknown threat actors rewrote git tags across four Laravel-Lang Composer packages between 22 and 23 May 2026, redirecting downstream installs to a malicious commit that injects a PHP credential-stealing dropper (src/helpers.php) into every PHP application's autoload chain. The dropper pulls a ~5,900-line stealer payload from flipboxstudio[.]info and harvests cloud, CI/CD, browser, wallet, password-manager and VPN credentials. The activity overlaps in time with a parallel Packagist 8-package compromise and the broader Megalodon GitHub Actions intrusion.
Indicators of Compromise
flipboxstudio.infoAlienVault 2026-05-25
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
| Technique ID | Technique Name | Tactic | Detection Method | Log Sources |
|---|---|---|---|---|
| T1195.001 | Compromise Software Dependencies | Initial Access | Alert when composer.lock source.reference SHA for any laravel-lang/* package changes; cross-reference the SHA against upstream commit author identity. | composer.lock diff, CI pipeline logs, git audit log |
| T1195.002 | Compromise Software Supply Chain | Initial Access | Hunt for src/helpers.php registered under autoload.files in composer.json where the maintainer is not in the trusted set, especially in laravel-lang/* trees. | FIM on vendor/, package registry audit logs, Composer install events |
| T1059.004 | Unix Shell | Execution | Alert on php-fpm / php-cgi processes spawning sh / bash with arguments referencing /tmp, sys_get_temp_dir, or background exec()-style patterns. | auditd execve, Sysmon for Linux EID 1, EDR process-tree telemetry |
| T1059.005 | Visual Basic | Execution | Detect cscript.exe whose parent process is w3wp.exe / php-cgi.exe; flag .vbs files written to %TEMP% with subsequent outbound network connection. | Windows Event 4688, Sysmon EID 1/11, EDR |
| T1071.001 | Web Protocols | Command and Control | DNS resolution and HTTPS POST to flipboxstudio[.]info (any path), particularly /payload and /exfil. Apply across all PHP / web service estate. | DNS query logs, egress proxy, NetFlow/IPFIX, JA3/JA4 |
| T1552.001 | Credentials In Files | Credential Access | File read of .env, wp-config.php, .git-credentials, .netrc, /root/.ssh/id_* by a PHP process or unknown binary outside normal application paths. | auditd file watches, EDR file-access telemetry |
| T1552.005 | Cloud Instance Metadata API | Credential Access | Alert on PHP / web process reaching 169.254.169.254 (latest/meta-data or instance-identity); correlate with token use in CloudTrail / GCP audit / Azure activity logs. | VPC flow logs, CloudTrail, GuardDuty, IMDSv2 anomaly detection |
| T1027 | Obfuscated Files or Information | Defense Evasion | Static-scan PHP files for array_map('chr', […]) with integer arrays of length ≥ 16 (the runtime C2 deobfuscation pattern in helpers.php). | SAST scanner, YARA on vendor/ trees, git-pre-commit hooks |
| T1070.004 | File Deletion | Defense Evasion | Alert when a PHP-spawned process deletes its own script or files matching .laravel_locale/* markers shortly after an egress beacon. | auditd, Sysmon for Linux EID 23, EDR file-deletion events |
| T1041 | Exfiltration Over C2 Channel | Exfiltration | Threshold-alert on outbound HTTPS POST size from a PHP / web process > 1 MB to non-business destinations within 60s of /payload retrieval. | NetFlow/IPFIX, egress proxy, DLP |
| T1496 | Resource Hijacking | Impact | Alert on access to common cryptocurrency-wallet file paths (Electrum/, Exodus/, MetaMask/, Phantom/, Trust/, Ledger Live/) by a PHP process. | FIM, EDR file-access telemetry |
Observed Countries250
AD (30)
AE (879)
AF (12)
AG (629)
AI (269)
AL (887)
AM (604)
AO (639)
AQ (114)
AR (625)
AS (750)
AT (354)
AU (952)
AW (261)
AX (412)
AZ (377)
BA (249)
BB (524)
BD (709)
BE (588)
BF (427)
BG (913)
BH (44)
BI (375)
BJ (610)
BL (331)
BM (477)
BN (628)
BO (18)
BQ (145)
BR (683)
BS (267)
BT (493)
BV (87)
BW (18)
BY (349)
BZ (86)
CA (652)
CC (538)
CD (929)
CF (516)
CG (140)
CH (359)
CI (841)
CK (513)
CL (431)
CM (521)
CN (660)
CO (523)
CR (494)
CU (134)
CV (376)
CW (934)
CX (309)
CY (229)
CZ (749)
DE (480)
DJ (506)
DK (866)
DM (517)
DO (999)
DZ (495)
EC (218)
EE (217)
EG (487)
EH (359)
ER (687)
ES (356)
ET (57)
FI (381)
FJ (952)
FK (581)
FM (793)
FO (211)
FR (211)
GA (195)
GB (546)
GD (848)
GE (509)
GF (405)
GG (308)
GH (461)
GI (440)
GL (254)
GM (706)
GN (206)
GP (8)
GQ (502)
GR (224)
GS (956)
GT (606)
GU (14)
GW (755)
GY (740)
HK (998)
HM (684)
HN (618)
HR (209)
HT (110)
HU (298)
ID (492)
IE (184)
IL (537)
IM (251)
IN (874)
IO (404)
IQ (949)
IR (597)
IS (646)
IT (301)
JE (64)
JM (183)
JO (210)
JP (217)
KE (361)
KG (176)
KH (472)
KI (817)
KM (31)
KN (711)
KP (487)
KR (187)
KW (757)
KY (625)
KZ (393)
LA (128)
LB (856)
LC (201)
LI (608)
LK (373)
LR (626)
LS (12)
LT (837)
LU (828)
LV (415)
LY (538)
MA (497)
MC (838)
MD (420)
ME (122)
MF (814)
MG (74)
MH (578)
MK (424)
ML (453)
MM (832)
MN (343)
MO (2)
MP (87)
MQ (682)
MR (156)
MS (76)
MT (184)
MU (965)
MV (985)
MW (996)
MX (648)
MY (332)
MZ (810)
NA (350)
NC (973)
NE (435)
NF (552)
NG (705)
NI (891)
NL (667)
NO (500)
NP (737)
NR (994)
NU (919)
NZ (189)
OM (452)
PA (827)
PE (589)
PF (744)
PG (212)
PH (243)
PK (410)
PL (613)
PM (524)
PN (860)
PR (250)
PS (873)
PT (622)
PW (481)
PY (879)
QA (674)
RE (662)
RO (485)
RS (151)
RU (323)
RW (85)
SA (27)
SB (268)
SC (149)
SD (648)
SE (189)
SG (895)
SH (93)
SI (481)
SJ (130)
SK (602)
SL (987)
SM (820)
SN (31)
SO (356)
SR (941)
SS (105)
ST (496)
SV (709)
SX (268)
SY (178)
SZ (592)
TC (116)
TD (54)
TF (961)
TG (654)
TH (812)
TJ (282)
TK (939)
TL (119)
TM (858)
TN (842)
TO (340)
TR (853)
TT (985)
TV (181)
TW (668)
TZ (896)
UA (359)
UG (344)
UM (268)
US (440)
UY (841)
UZ (568)
VA (402)
VC (51)
VE (794)
VG (346)
VI (852)
VN (219)
VU (858)
WF (638)
WS (496)
XK (117)
YE (923)
YT (437)
ZA (724)
ZM (129)
ZW (779)