Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: laravel (1 article)Clear

Laravel-Lang PHP packages compromised - autoload payload steals AWS, Azure, GCP, K8s, Vault, crypto wallets across Linux, macOS, Windows

Aikido Security and Socket have disclosed that several packages in the Laravel-Lang PHP ecosystem were compromised and used to ship a ~5,900-line PHP credential stealer that runs automatically the moment any consumer of the package boots. The dropper registers itself in composer.json under autoload.files, so no class instantiation or method call is needed - the payload triggers on every PHP request. It harvests AWS, Azure, GCP, Kubernetes, HashiCorp Vault, Jenkins, GitLab, GitHub Actions, CircleCI, browser data, password-manager vaults, SSH keys, crypto wallets, and VPN configs, then AES-encrypts the bundle and exfiltrates to flipboxstudio[.]info/exfil. The script then deletes itself to limit forensic recovery.

Check
Audit composer.lock files and Laravel deployments for any laravel-lang/* package installed since 2026-05-15. Search egress logs for traffic to flipboxstudio[.]info. Check src/helpers.php for unfamiliar code.
Affected
Any PHP application that pulled in a compromised laravel-lang package via Composer. The autoload trigger means the payload runs on every request, not just on first use.
Fix
Roll back to a known-clean laravel-lang version and pin via composer.lock. Rotate every cloud credential, SSH key, browser-stored token, and password-vault item reachable from affected hosts.