
CRITICAL LARAVEL LANG SUPPLY CHAIN COMPROMISE Cross Platform PHP Credential Stealer Campaign
Currently unknown threat actors rewrote git tags across four Laravel-Lang Composer packages between 22 and 23 May 2026, redirecting downstream installs to a malicious commit that injects a PHP credential-stealing dropper (src/helpers.php) into every PHP application's autoload chain. The dropper pulls a ~5,900-line stealer payload from flipboxstudio[.]info and harvests cloud, CI/CD, browser, wallet, password-manager and VPN credentials. The activity overlaps in time with a parallel Packagist 8-package compromise and the broader Megalodon GitHub Actions intrusion.
Indicators of Compromise
Domains (1)
flipboxstudio.infoIPv4 (1)
216.126.225.129Notes
<div class="content-body"> <span class="content-title">CONCLUSION</span> <p class="content-description">The Laravel-Lang compromise matters for its economy: one credential with org-wide push access rewrote ~700 tags across four repositories, and Composer/PHP's autoload — invoked by every Laravel, Symfony, and PHPUnit boot — detonated the dropper silently. A runtime-resolved C2 (flipboxstudio[.]info) then pulled a 5,900-line stealer harvesting cloud metadata, CI/CD tokens, password vaults, wallets, browser stores (Chromium App-Bound Encryption bypassed via DebugChromium.exe), SSH keys, and .env files. Any environment resolving laravel-lang/lang, /http-statuses, /attributes, or /actions between 22–23 May 2026 must be treated as exposed. With the parallel Packagist cluster and the Megalodon Actions intrusion (5,561 repos; 216.126.225[.]129:8443), the developer trust boundary is being weaponised at scale on stolen credential feedstock.</p> <p class="content-description">This is where SOCRadar's XTI platform earns its place. Supply Chain Intelligence catches package and tag tampering before build time; IOC Radar and CTI push flipboxstudio[.]info and 216.126.225[.]129 straight to sinkholes and EDR; Advanced Dark Web Monitoring surfaces the developer credentials feeding these campaigns upstream. When the attack path runs through composer install, only external visibility sees it coming.</p> </div>
Mitigation
<div> <table> <thead> <tr> <th>Technique ID</th> <th>Technique Name</th> <th>Tactic</th> <th>Mitigation ID</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><a href="https://attack.mitre.org/techniques/T1195/001/">T1195.001</a></td> <td>Compromise Software Dependencies and Development Tools</td> <td>Initial Access</td> <td><a href="https://attack.mitre.org/mitigations/M1016/">M1016</a></td> <td>Vulnerability Scanning — Continuously scan Composer dependencies (composer.lock SHA pinning) for unexpected version changes; perform SCA against trusted package-registry mirrors.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1195/001/">T1195.001</a></td> <td>Compromise Software Dependencies and Development Tools</td> <td>Initial Access</td> <td><a href="https://attack.mitre.org/mitigations/M1045/">M1045</a></td> <td>Code Signing — Require signed releases (Sigstore-style) where supported; reject unsigned releases and tag-rewritten commits in CI policy.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1195/002/">T1195.002</a></td> <td>Compromise Software Supply Chain</td> <td>Initial Access</td> <td><a href="https://attack.mitre.org/mitigations/M1042/">M1042</a></td> <td>Disable or Remove Feature or Program — Remove the four affected Laravel-Lang packages, pin to pre-22-May commit SHAs (not tags), quarantine any host that resolved them between 22–23 May 2026.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1059/004/">T1059.004</a></td> <td>Command and Scripting Interpreter: Unix Shell</td> <td>Execution</td> <td><a href="https://attack.mitre.org/mitigations/M1038/">M1038</a></td> <td>Execution Prevention — Restrict exec(), shell_exec(), passthru() via disable_functions in php.ini for production; alert on php-fpm/php-cgi spawning sh/bash.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1059/005/">T1059.005</a></td> <td>Command and Scripting Interpreter: Visual Basic</td> <td>Execution</td> <td><a href="https://attack.mitre.org/mitigations/M1038/">M1038</a></td> <td>Execution Prevention — Block cscript.exe / wscript.exe execution from PHP / web service contexts via AppLocker or WDAC policies.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1552/001/">T1552.001</a></td> <td>Unsecured Credentials: Credentials In Files</td> <td>Credential Access</td> <td><a href="https://attack.mitre.org/mitigations/M1041/">M1041</a></td> <td>Encrypt Sensitive Information — Encrypt .env, wp-config.php, .git-credentials, .netrc with KMS / Vault Transit; reject plain-text secrets in repo policies.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1555/003/">T1555.003</a></td> <td>Credentials from Password Stores: Web Browsers</td> <td>Credential Access</td> <td><a href="https://attack.mitre.org/mitigations/M1042/">M1042</a></td> <td>Disable or Remove Feature or Program — Disable browser password saving on developer endpoints via GPO / MDM; mandate enterprise password managers.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1555/005/">T1555.005</a></td> <td>Credentials from Password Stores: Password Managers</td> <td>Credential Access</td> <td><a href="https://attack.mitre.org/mitigations/M1032/">M1032</a></td> <td>Multi-factor Authentication — Enforce hardware MFA + biometric unlock on password-manager vaults; rotate every vault accessed from hosts that resolved compromised packages.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1552/005/">T1552.005</a></td> <td>Unsecured Credentials: Cloud Instance Metadata API</td> <td>Credential Access</td> <td><a href="https://attack.mitre.org/mitigations/M1037/">M1037</a></td> <td>Filter Network Traffic — Enforce IMDSv2 with hop-limit 1 on EC2; block 169.254.169.254 from container egress unless explicitly required.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1027/">T1027</a></td> <td>Obfuscated Files or Information</td> <td>Defense Evasion</td> <td><a href="https://attack.mitre.org/mitigations/M1049/">M1049</a></td> <td>Antivirus/Antimalware — Deploy YARA / SAST rules that flag PHP files containing array_map('chr', […]) with ≥16-int arrays — the runtime C2 deobfuscation pattern observed in helpers.php.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1071/001/">T1071.001</a></td> <td>Application Layer Protocol: Web Protocols</td> <td>Command and Control</td> <td><a href="https://attack.mitre.org/mitigations/M1031/">M1031</a></td> <td>Network Intrusion Prevention — Sinkhole flipboxstudio[.]info at DNS; inspect HTTPS from build/deploy/PHP hosts to non-business destinations.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1070/004/">T1070.004</a></td> <td>Indicator Removal: File Deletion</td> <td>Defense Evasion</td> <td><a href="https://attack.mitre.org/mitigations/M1022/">M1022</a></td> <td>Restrict File and Directory Permissions — Enable auditd / Sysmon-for-Linux file-deletion telemetry on developer endpoints and CI runners; centralise logs.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1041/">T1041</a></td> <td>Exfiltration Over C2 Channel</td> <td>Exfiltration</td> <td><a href="https://attack.mitre.org/mitigations/M1057/">M1057</a></td> <td>Data Loss Prevention — Threshold-alert on outbound HTTPS POST size from PHP / web processes; correlate with DNS to flipboxstudio[.]info.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1496/">T1496</a></td> <td>Resource Hijacking</td> <td>Impact</td> <td><a href="https://attack.mitre.org/mitigations/M1018/">M1018</a></td> <td>User Account Management — Rotate every cryptocurrency-wallet credential reachable from a host that resolved compromised Laravel-Lang packages; revoke long-lived wallet sessions.</td> </tr> </tbody> </table> </div>