Laravel Lang Compromised with RCE Backdoor Across 700+ Versions

A compromise affecting the community-maintained Laravel Lang project has introduced remote code execution backdoors across multiple packages in the organization, including laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes , and laravel-lang/actions across roughly 700+ historical versions.

The affected packages are not part of the official Laravel framework. They are third-party localization packages used by Laravel applications. However, applications that installed compromised versions may have executed the backdoor automatically when Composer’s autoloader ran.

Newly observed tag activity suggests the compromise was not isolated to a single package. Recently published tags appeared across multiple repositories in the same GitHub organization, including Laravel-Lang/lang, Laravel-Lang/http-statuses, Laravel-Lang/attributes, and Laravel-Lang/actions. The tags were published in rapid succession on May 22 and May 23, 2026, with many versions appearing only seconds apart.

For example, Laravel-Lang/lang tags across the 12.x, 13.x, 14.x, and 15.x lines were published in tight sequence on May 22, while Laravel-Lang/http-statuses and Laravel-Lang/attributes also saw rapid tag creation across historical versions during the same window. Laravel-Lang/actions tags followed shortly after, continuing into May 23 UTC.

Aikido Security also surfaced the compromise publicly, helping alert the Laravel and PHP communities to suspicious activity across Laravel Lang packages. Socket’s analysis of composer/laravel-lang/lang@14.3.7 confirmed a malicious src/helpers.php file registered in composer.json under autoload.files. In Composer packages, files listed under autoload.files are loaded automatically when the Composer autoloader runs, which means the malicious code can execute during normal application runtime.

Coordinated Tag Activity Across Laravel Lang Repositories#

The timing and pattern of the newly published tags point to a broader compromise of the Laravel Lang organization’s release process, rather than a single malicious package version.

The observed activity includes rapid publication of historical tags across:

• Laravel-Lang/lang
• Laravel-Lang/http-statuses
• Laravel-Lang/attributes
• Laravel-Lang/actions

Many of these tags were created seconds apart, a pattern that is unusual for normal package maintenance and consistent with automated mass tagging or republishing. The affected repositories belong to the same Laravel Lang GitHub organization, which suggests the attacker may have had access to organization-level credentials, repository automation, or release infrastructure.

This is a developing story. We will publish more information as our investigation continues.

Technical Breakdown

The malicious activity is rooted in a file named src/helpers.php. Because this file is registered in the composer.json under autoload.files, the backdoor is executed automatically on every PHP request handled by the compromised application.

The infection sequence operates as follows:

• C2 Deobfuscation: The malware dynamically builds its Command and Control (C2) hostname (flipboxstudio[.]info) at runtime using character codes (array_map('chr', [...])) to evade static string analysis.
• Payload Retrieval: The script reaches out to https://flipboxstudio[.]info/payload. To guarantee a successful fetch even under interception or certificate issues, it explicitly disables TLS certificate verification and fakes a Mozilla User-Agent.
• Staging: The downloaded payload is written to a hidden temporary file located at sys_get_temp_dir()/.laravel_locale/.
• Remote Code Execution (RCE): The malware executes the downloaded file in the background via exec("php ...") on Unix environments, or by generating and running a .vbs script via cscript on Windows systems.

Key Threat Characteristics

• Evasion and Stealth: The script generates a unique per-host marker (an MD5 hash combining the directory path, system architecture, and inode) to ensure the payload only triggers once per machine. This prevents redundant executions and helps the malware remain undetected after the initial run.

Payload analysis#

This is a highly sophisticated, cross-platform (Linux, macOS, Windows) information stealer written in PHP. It acts as the second-stage payload delivered by the poisoned laravel-lang/attributes package.

Rather than a simple backdoor, this script is a comprehensive credential-harvesting framework designed to systematically strip a compromised server or developer machine of virtually all sensitive data, encrypt it, and exfiltrate it to the C2 server.

Here is a technical breakdown of the malware’s capabilities and execution flow:

1. Core Configuration & Orchestration

• Target C2: Hardcoded to https://flipboxstudio.info/exfil.
• Encryption Key: Uses a hardcoded key (k9X2mP7vL4nQ8wR1) to XOR-encrypt the stolen data before exfiltration.
• Orchestration: The Stealer class initializes 17 distinct "Collectors," each targeting a specific category of software, cloud infrastructure, or operating system secrets.

2. Reconnaissance & Data Harvesting (The Collectors)

The malware uses a massive dictionary of Regular Expressions to scrape files, databases, and environment variables for API keys (AWS, GitHub, Stripe, Slack, Discord, JWTs, private keys, etc.).

Its specific collectors include:

• Cloud & AWS (AwsCollector, CloudCollector): Queries cloud metadata endpoints (e.g., EC2 IMDS at 169.254.169.254) to steal IAM roles and instance identity documents. It also scrapes local configuration files for Azure, Google Cloud (gcloud), DigitalOcean, Heroku, Netlify, and Vercel.
• Container & Orchestration (K8sCollector): Steals Kubernetes Service Account tokens from /var/run/secrets/..., local kubeconfig files, and Helm registry configurations.
• HashiCorp Vault (VaultCollector): Attempts to find Vault tokens via environment variables, files, or Kubernetes auth, and if successful, recursively queries the Vault API to dump Key-Value secrets.
• CI/CD Pipelines (CiCdCollector): Targets build servers, extracting tokens and configurations from Jenkins (including the master.key and credentials.xml), GitLab Runners, GitHub Actions, CircleCI, TravisCI, and ArgoCD.
• Cryptocurrency (CryptoCollector): Scans for wallet data files (Bitcoin, Ethereum, Monero, etc.) and browser extension local storage (MetaMask, Phantom, Trust Wallet). It also scans desktop/document folders for plaintext files named seed.txt or recovery.txt.
• Browsers (BrowserCollector & ChromiumDecryptor): Extracts history, cookies, and login data from Chrome, Edge, Firefox, Brave, and Opera.
  • Advanced Bypass: It contains a base64-encoded embedded Windows executable (DebugChromium.exe). The PHP script drops and executes this binary specifically to bypass Chrome v127+ App-Bound Encryption and extract the master decryption key. Firefox is decrypted natively using NSS algorithms.
• Password Managers (PasswordManagerCollector): Targets local vaults and browser extension data for 1Password, Bitwarden, LastPass, KeePass, Dashlane, and NordPass.
• System & Processes (ProcessCollector, WindowsCredentialCollector): * Linux: Reads /proc/[pid]/environ and /proc/[pid]/cmdline to steal secrets passed via command-line arguments to running processes.
  • Windows: Dumps the Windows Credential Manager (cmdkey), Vault credentials (vaultcmd), .rdp files, and PuTTY/WinSCP saved sessions (including native decryption of WinSCP passwords).
• Communications & FTP (MessagingCollector, FtpCollector, EmailCollector): Extracts session tokens from Discord and Slack leveldb storage. Dumps profiles from Outlook, Thunderbird, and popular FTP clients (FileZilla, WinSCP, CoreFTP), often reversing weak proprietary encoding/XOR obfuscation.
• Files & Local Configurations (FileCollector): Scours Windows, macOS, and Linux paths for high-value configuration and credential files, including Docker auth tokens, SSH private keys, Git credentials, shell history files, database history files, Kubernetes cluster configurations, .env files, wp-config.php, and docker-compose.yml.
• Environment Variables (EnvCollector): Captures environment variables loaded into the PHP process and filters for sensitive keys containing terms like KEY, SECRET, API, TOKEN, PASSWORD, AWS_, AZURE_, GCP_ ,STRIPE_, and more, then applies regex patterns to extract recognizable credential formats.
• Source Control (GitCollector): Extracts source control credentials from global and local .gitconfig files, .git-credentials, and .netrc files. It parses embedded HTTP basic auth credentials and SSH host configurations associated with GitHub, GitLab, and Bitbucket.
• VPN Clients (VpnCollector): Collects VPN configuration and saved login files for OpenVPN, WireGuard, NetworkManager, and commercial VPNs such as NordVPN, ExpressVPN, CyberGhost, and Mullvad. It parses .ovpn and .conf files to extract embedded usernames, passwords, or referenced auth-user-pass credential files.

Affected Versions#

We're tracking this supply chain attack on a dedicated campaign page: socket.dev/supply-chain-attacks/laravel-lang-compromise

Teams using affected Laravel Lang packages should treat impacted systems as potentially compromised, not just exposed. Check composer.lock for laravel-lang/lang, laravel-lang/http-statuses, and laravel-lang/attributes, and block these packages until clean versions are confirmed.

Because the payload targets cloud metadata, Kubernetes tokens, Vault, CI/CD systems, browser data, password managers, source control credentials, VPN configs, SSH keys, .env files, and local application configs, affected teams should rotate any secrets available to hosts, containers, CI runners, or developer machines that installed or ran the compromised packages.

Prioritize rotation of cloud credentials, Kubernetes Service Account tokens, Vault tokens, CI/CD secrets, GitHub/GitLab/Bitbucket tokens, SSH keys, Docker registry tokens, Laravel APP_KEY, database credentials, API keys, webhook secrets, and credentials stored in environment variables.

Rebuild affected hosts, containers, and CI runners from known-good images where possible. Preserve logs and package artifacts before cleanup, including composer.lock, Composer cache contents, deployment logs, process execution logs, network/DNS logs, cloud audit logs, Kubernetes audit logs, and temp directory contents.

Indicators of Compromise#

• Packages: laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes
• Domain: flipboxstudio[.]info
• Payload URL: https://flipboxstudio[.]info/payload
• Malicious file: src/helpers.php
• Composer autoload entry: autoload.files → src/helpers.php
• Temp path: sys_get_temp_dir()/.laravel_locale/
• Cloud metadata access: 169.254.169.254
• Windows artifact: DebugChromium.exe
• Suspicious behavior: background php execution, cscript execution, dropped .php or VBS files, reads from /var/run/secrets/, reads from /proc/[pid]/environ, and outbound requests to flipboxstudio[.]info