Campaigns
CRITICAL LARAVEL LANG SUPPLY CHAIN COMPROMISE Cross Platform PHP Credential Stealer Campaign

CRITICAL LARAVEL LANG SUPPLY CHAIN COMPROMISE Cross Platform PHP Credential Stealer Campaign

supply-chainPHPcredential-theftMegalodonCI/CD
Currently unknown threat actors rewrote git tags across four Laravel-Lang Composer packages between 22 and 23 May 2026, redirecting downstream installs to a malicious commit that injects a PHP credential-stealing dropper (src/helpers.php) into every PHP application's autoload chain. The dropper pulls a ~5,900-line stealer payload from flipboxstudio[.]info and harvests cloud, CI/CD, browser, wallet, password-manager and VPN credentials. The activity overlaps in time with a parallel Packagist 8-package compromise and the broader Megalodon GitHub Actions intrusion.

Indicators of Compromise

flipboxstudio.info

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Technique ID Technique Name Tactic Detection Method Log Sources
T1195.001 Compromise Software Dependencies Initial Access Alert when composer.lock source.reference SHA for any laravel-lang/* package changes; cross-reference the SHA against upstream commit author identity. composer.lock diff, CI pipeline logs, git audit log
T1195.002 Compromise Software Supply Chain Initial Access Hunt for src/helpers.php registered under autoload.files in composer.json where the maintainer is not in the trusted set, especially in laravel-lang/* trees. FIM on vendor/, package registry audit logs, Composer install events
T1059.004 Unix Shell Execution Alert on php-fpm / php-cgi processes spawning sh / bash with arguments referencing /tmp, sys_get_temp_dir, or background exec()-style patterns. auditd execve, Sysmon for Linux EID 1, EDR process-tree telemetry
T1059.005 Visual Basic Execution Detect cscript.exe whose parent process is w3wp.exe / php-cgi.exe; flag .vbs files written to %TEMP% with subsequent outbound network connection. Windows Event 4688, Sysmon EID 1/11, EDR
T1071.001 Web Protocols Command and Control DNS resolution and HTTPS POST to flipboxstudio[.]info (any path), particularly /payload and /exfil. Apply across all PHP / web service estate. DNS query logs, egress proxy, NetFlow/IPFIX, JA3/JA4
T1552.001 Credentials In Files Credential Access File read of .env, wp-config.php, .git-credentials, .netrc, /root/.ssh/id_* by a PHP process or unknown binary outside normal application paths. auditd file watches, EDR file-access telemetry
T1552.005 Cloud Instance Metadata API Credential Access Alert on PHP / web process reaching 169.254.169.254 (latest/meta-data or instance-identity); correlate with token use in CloudTrail / GCP audit / Azure activity logs. VPC flow logs, CloudTrail, GuardDuty, IMDSv2 anomaly detection
T1027 Obfuscated Files or Information Defense Evasion Static-scan PHP files for array_map('chr', […]) with integer arrays of length ≥ 16 (the runtime C2 deobfuscation pattern in helpers.php). SAST scanner, YARA on vendor/ trees, git-pre-commit hooks
T1070.004 File Deletion Defense Evasion Alert when a PHP-spawned process deletes its own script or files matching .laravel_locale/* markers shortly after an egress beacon. auditd, Sysmon for Linux EID 23, EDR file-deletion events
T1041 Exfiltration Over C2 Channel Exfiltration Threshold-alert on outbound HTTPS POST size from a PHP / web process > 1 MB to non-business destinations within 60s of /payload retrieval. NetFlow/IPFIX, egress proxy, DLP
T1496 Resource Hijacking Impact Alert on access to common cryptocurrency-wallet file paths (Electrum/, Exodus/, MetaMask/, Phantom/, Trust/, Ledger Live/) by a PHP process. FIM, EDR file-access telemetry

Observed Countries250

AD (30)
AE (879)
AF (12)
AG (629)
AI (269)
AL (887)
AM (604)
AO (639)
AQ (114)
AR (625)
AS (750)
AT (354)
AU (952)
AW (261)
AX (412)
AZ (377)
BA (249)
BB (524)
BD (709)
BE (588)
BF (427)
BG (913)
BH (44)
BI (375)
BJ (610)
BL (331)
BM (477)
BN (628)
BO (18)
BQ (145)
BR (683)
BS (267)
BT (493)
BV (87)
BW (18)
BY (349)
BZ (86)
CA (652)
CC (538)
CD (929)
CF (516)
CG (140)
CH (359)
CI (841)
CK (513)
CL (431)
CM (521)
CN (660)
CO (523)
CR (494)
CU (134)
CV (376)
CW (934)
CX (309)
CY (229)
CZ (749)
DE (480)
DJ (506)
DK (866)
DM (517)
DO (999)
DZ (495)
EC (218)
EE (217)
EG (487)
EH (359)
ER (687)
ES (356)
ET (57)
FI (381)
FJ (952)
FK (581)
FM (793)
FO (211)
FR (211)
GA (195)
GB (546)
GD (848)
GE (509)
GF (405)
GG (308)
GH (461)
GI (440)
GL (254)
GM (706)
GN (206)
GP (8)
GQ (502)
GR (224)
GS (956)
GT (606)
GU (14)
GW (755)
GY (740)
HK (998)
HM (684)
HN (618)
HR (209)
HT (110)
HU (298)
ID (492)
IE (184)
IL (537)
IM (251)
IN (874)
IO (404)
IQ (949)
IR (597)
IS (646)
IT (301)
JE (64)
JM (183)
JO (210)
JP (217)
KE (361)
KG (176)
KH (472)
KI (817)
KM (31)
KN (711)
KP (487)
KR (187)
KW (757)
KY (625)
KZ (393)
LA (128)
LB (856)
LC (201)
LI (608)
LK (373)
LR (626)
LS (12)
LT (837)
LU (828)
LV (415)
LY (538)
MA (497)
MC (838)
MD (420)
ME (122)
MF (814)
MG (74)
MH (578)
MK (424)
ML (453)
MM (832)
MN (343)
MO (2)
MP (87)
MQ (682)
MR (156)
MS (76)
MT (184)
MU (965)
MV (985)
MW (996)
MX (648)
MY (332)
MZ (810)
NA (350)
NC (973)
NE (435)
NF (552)
NG (705)
NI (891)
NL (667)
NO (500)
NP (737)
NR (994)
NU (919)
NZ (189)
OM (452)
PA (827)
PE (589)
PF (744)
PG (212)
PH (243)
PK (410)
PL (613)
PM (524)
PN (860)
PR (250)
PS (873)
PT (622)
PW (481)
PY (879)
QA (674)
RE (662)
RO (485)
RS (151)
RU (323)
RW (85)
SA (27)
SB (268)
SC (149)
SD (648)
SE (189)
SG (895)
SH (93)
SI (481)
SJ (130)
SK (602)
SL (987)
SM (820)
SN (31)
SO (356)
SR (941)
SS (105)
ST (496)
SV (709)
SX (268)
SY (178)
SZ (592)
TC (116)
TD (54)
TF (961)
TG (654)
TH (812)
TJ (282)
TK (939)
TL (119)
TM (858)
TN (842)
TO (340)
TR (853)
TT (985)
TV (181)
TW (668)
TZ (896)
UA (359)
UG (344)
UM (268)
US (440)
UY (841)
UZ (568)
VA (402)
VC (51)
VE (794)
VG (346)
VI (852)
VN (219)
VU (858)
WF (638)
WS (496)
XK (117)
YE (923)
YT (437)
ZA (724)
ZM (129)
ZW (779)