SOC Incident Toolkit
Back to Campaigns
CRITICAL LARAVEL LANG SUPPLY CHAIN COMPROMISE Cross Platform PHP Credential Stealer Campaign

CRITICAL LARAVEL LANG SUPPLY CHAIN COMPROMISE Cross Platform PHP Credential Stealer Campaign

supply-chainPHPcredential-theftMegalodonCI/CD

Currently unknown threat actors rewrote git tags across four Laravel-Lang Composer packages between 22 and 23 May 2026, redirecting downstream installs to a malicious commit that injects a PHP credential-stealing dropper (src/helpers.php) into every PHP application's autoload chain. The dropper pulls a ~5,900-line stealer payload from flipboxstudio[.]info and harvests cloud, CI/CD, browser, wallet, password-manager and VPN credentials. The activity overlaps in time with a parallel Packagist 8-package compromise and the broader Megalodon GitHub Actions intrusion.

Indicators of Compromise

Domains (1)

flipboxstudio.info

IPv4 (1)

216.126.225.129

Notes

<div class="content-body"> <span class="content-title">CONCLUSION</span> <p class="content-description">The Laravel-Lang compromise matters for its economy: one credential with org-wide push access rewrote ~700 tags across four repositories, and Composer/PHP's autoload — invoked by every Laravel, Symfony, and PHPUnit boot — detonated the dropper silently. A runtime-resolved C2 (flipboxstudio[.]info) then pulled a 5,900-line stealer harvesting cloud metadata, CI/CD tokens, password vaults, wallets, browser stores (Chromium App-Bound Encryption bypassed via DebugChromium.exe), SSH keys, and .env files. Any environment resolving laravel-lang/lang, /http-statuses, /attributes, or /actions between 22–23 May 2026 must be treated as exposed. With the parallel Packagist cluster and the Megalodon Actions intrusion (5,561 repos; 216.126.225[.]129:8443), the developer trust boundary is being weaponised at scale on stolen credential feedstock.</p> <p class="content-description">This is where SOCRadar's XTI platform earns its place. Supply Chain Intelligence catches package and tag tampering before build time; IOC Radar and CTI push flipboxstudio[.]info and 216.126.225[.]129 straight to sinkholes and EDR; Advanced Dark Web Monitoring surfaces the developer credentials feeding these campaigns upstream. When the attack path runs through composer install, only external visibility sees it coming.</p> </div>

Mitigation

<div> <table> <thead> <tr> <th>Technique ID</th> <th>Technique Name</th> <th>Tactic</th> <th>Mitigation ID</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><a href="https://attack.mitre.org/techniques/T1195/001/">T1195.001</a></td> <td>Compromise Software Dependencies and Development Tools</td> <td>Initial Access</td> <td><a href="https://attack.mitre.org/mitigations/M1016/">M1016</a></td> <td>Vulnerability Scanning — Continuously scan Composer dependencies (composer.lock SHA pinning) for unexpected version changes; perform SCA against trusted package-registry mirrors.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1195/001/">T1195.001</a></td> <td>Compromise Software Dependencies and Development Tools</td> <td>Initial Access</td> <td><a href="https://attack.mitre.org/mitigations/M1045/">M1045</a></td> <td>Code Signing — Require signed releases (Sigstore-style) where supported; reject unsigned releases and tag-rewritten commits in CI policy.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1195/002/">T1195.002</a></td> <td>Compromise Software Supply Chain</td> <td>Initial Access</td> <td><a href="https://attack.mitre.org/mitigations/M1042/">M1042</a></td> <td>Disable or Remove Feature or Program — Remove the four affected Laravel-Lang packages, pin to pre-22-May commit SHAs (not tags), quarantine any host that resolved them between 22–23 May 2026.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1059/004/">T1059.004</a></td> <td>Command and Scripting Interpreter: Unix Shell</td> <td>Execution</td> <td><a href="https://attack.mitre.org/mitigations/M1038/">M1038</a></td> <td>Execution Prevention — Restrict exec(), shell_exec(), passthru() via disable_functions in php.ini for production; alert on php-fpm/php-cgi spawning sh/bash.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1059/005/">T1059.005</a></td> <td>Command and Scripting Interpreter: Visual Basic</td> <td>Execution</td> <td><a href="https://attack.mitre.org/mitigations/M1038/">M1038</a></td> <td>Execution Prevention — Block cscript.exe / wscript.exe execution from PHP / web service contexts via AppLocker or WDAC policies.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1552/001/">T1552.001</a></td> <td>Unsecured Credentials: Credentials In Files</td> <td>Credential Access</td> <td><a href="https://attack.mitre.org/mitigations/M1041/">M1041</a></td> <td>Encrypt Sensitive Information — Encrypt .env, wp-config.php, .git-credentials, .netrc with KMS / Vault Transit; reject plain-text secrets in repo policies.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1555/003/">T1555.003</a></td> <td>Credentials from Password Stores: Web Browsers</td> <td>Credential Access</td> <td><a href="https://attack.mitre.org/mitigations/M1042/">M1042</a></td> <td>Disable or Remove Feature or Program — Disable browser password saving on developer endpoints via GPO / MDM; mandate enterprise password managers.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1555/005/">T1555.005</a></td> <td>Credentials from Password Stores: Password Managers</td> <td>Credential Access</td> <td><a href="https://attack.mitre.org/mitigations/M1032/">M1032</a></td> <td>Multi-factor Authentication — Enforce hardware MFA + biometric unlock on password-manager vaults; rotate every vault accessed from hosts that resolved compromised packages.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1552/005/">T1552.005</a></td> <td>Unsecured Credentials: Cloud Instance Metadata API</td> <td>Credential Access</td> <td><a href="https://attack.mitre.org/mitigations/M1037/">M1037</a></td> <td>Filter Network Traffic — Enforce IMDSv2 with hop-limit 1 on EC2; block 169.254.169.254 from container egress unless explicitly required.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1027/">T1027</a></td> <td>Obfuscated Files or Information</td> <td>Defense Evasion</td> <td><a href="https://attack.mitre.org/mitigations/M1049/">M1049</a></td> <td>Antivirus/Antimalware — Deploy YARA / SAST rules that flag PHP files containing array_map('chr', […]) with ≥16-int arrays — the runtime C2 deobfuscation pattern observed in helpers.php.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1071/001/">T1071.001</a></td> <td>Application Layer Protocol: Web Protocols</td> <td>Command and Control</td> <td><a href="https://attack.mitre.org/mitigations/M1031/">M1031</a></td> <td>Network Intrusion Prevention — Sinkhole flipboxstudio[.]info at DNS; inspect HTTPS from build/deploy/PHP hosts to non-business destinations.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1070/004/">T1070.004</a></td> <td>Indicator Removal: File Deletion</td> <td>Defense Evasion</td> <td><a href="https://attack.mitre.org/mitigations/M1022/">M1022</a></td> <td>Restrict File and Directory Permissions — Enable auditd / Sysmon-for-Linux file-deletion telemetry on developer endpoints and CI runners; centralise logs.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1041/">T1041</a></td> <td>Exfiltration Over C2 Channel</td> <td>Exfiltration</td> <td><a href="https://attack.mitre.org/mitigations/M1057/">M1057</a></td> <td>Data Loss Prevention — Threshold-alert on outbound HTTPS POST size from PHP / web processes; correlate with DNS to flipboxstudio[.]info.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1496/">T1496</a></td> <td>Resource Hijacking</td> <td>Impact</td> <td><a href="https://attack.mitre.org/mitigations/M1018/">M1018</a></td> <td>User Account Management — Rotate every cryptocurrency-wallet credential reachable from a host that resolved compromised Laravel-Lang packages; revoke long-lived wallet sessions.</td> </tr> </tbody> </table> </div>