Summary
All tags in this repository have been rewritten to point to malicious commits. Anyone running composer require laravel-lang/http-statuses or composer update against any version constraint will pull a payload that exfiltrates CI/CD secrets to an attacker-controlled domain.
This is part of a coordinated campaign that also affected Laravel-Lang/http-statuses, Laravel-Lang/actions, and Laravel-Lang/attributes within a ~15 minute window on 2026-05-22.
Quick indicators
- C2 domain:
flipboxstudio.info - Compromised commits author:
Your Name <you@example.com> - Files modified in every malicious commit:
composer.jsonandsrc/helpers.php - Rewrite window: 2026-05-22 between 23:41 UTC and 23:56 UTC
Full details
For the complete analysis (kill chain, full IOC list, recovery steps for users and maintainers, evidence from a detonation in an instrumented runner), see the StepSecurity write-up which we will keep updated as we learn more:
https://www.stepsecurity.io/blog/laravel-lang-supply-chain-attack
— StepSecurity Threat Intelligence team