Laravel-Lang PHP packages compromised - autoload payload steals AWS, Azure, GCP, K8s, Vault, crypto wallets across Linux, macOS, Windows
Aikido Security and Socket have disclosed that several packages in the Laravel-Lang PHP ecosystem were compromised and used to ship a ~5,900-line PHP credential stealer that runs automatically the moment any consumer of the package boots. The dropper registers itself in composer.json under autoload.files, so no class instantiation or method call is needed - the payload triggers on every PHP request. It harvests AWS, Azure, GCP, Kubernetes, HashiCorp Vault, Jenkins, GitLab, GitHub Actions, CircleCI, browser data, password-manager vaults, SSH keys, crypto wallets, and VPN configs, then AES-encrypts the bundle and exfiltrates to flipboxstudio[.]info/exfil. The script then deletes itself to limit forensic recovery.
- Check
- Audit composer.lock files and Laravel deployments for any laravel-lang/* package installed since 2026-05-15. Search egress logs for traffic to flipboxstudio[.]info. Check src/helpers.php for unfamiliar code.
- Affected
- Any PHP application that pulled in a compromised laravel-lang package via Composer. The autoload trigger means the payload runs on every request, not just on first use.
- Fix
- Roll back to a known-clean laravel-lang version and pin via composer.lock. Rotate every cloud credential, SSH key, browser-stored token, and password-vault item reachable from affected hosts.