Laravel-Lang PHP Packages Compromised with Cross-Platform Credential Stealer
The Hacker News reports a significant software supply chain attack targeting multiple PHP packages under the Laravel-Lang project. Attackers compromised these packages to distribute a sophisticated, cross-platform credential-stealing framework. This isnβt just a basic info stealer; itβs a comprehensive framework designed for broad credential exfiltration.
The affected packages include laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. The compromise was flagged due to suspicious timing and patterns in newly published tags within these repositories, indicating malicious interference rather than legitimate updates. This type of attack is particularly insidious as it leverages trusted development resources to propagate malware downstream.
This incident highlights the pervasive risk of supply chain vulnerabilities, where a single point of compromise in a widely used library can cascade into countless downstream infections. Defenders must recognize that even seemingly innocuous language or utility packages can become vectors for highly effective credential theft, bypassing traditional perimeter defenses by injecting malicious code directly into the application build process.
What This Means For You
- If your organization utilizes any of the compromised Laravel-Lang PHP packages (`laravel-lang/lang`, `laravel-lang/http-statuses`, `laravel-lang/attributes`, `laravel-lang/actions`), you need to immediately audit your dependencies for unexpected versions or modifications. Assume compromise if these packages are in your build chain. Rotate credentials for any systems that may have processed builds using these packages, and implement stricter integrity checks for third-party libraries.
Related ATT&CK Techniques
π‘οΈ Detection Rules
2 rules Β· 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free β export to any SIEM format via the Intel Bot.
Traffic to Compromised Vendor β Laravel-Lang
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| Laravel-Lang-Compromise-2026-05 | Supply Chain Attack | laravel-lang/lang PHP package |
| Laravel-Lang-Compromise-2026-05 | Supply Chain Attack | laravel-lang/http-statuses PHP package |
| Laravel-Lang-Compromise-2026-05 | Supply Chain Attack | laravel-lang/attributes PHP package |
| Laravel-Lang-Compromise-2026-05 | Supply Chain Attack | laravel-lang/actions PHP package |
| Laravel-Lang-Compromise-2026-05 | Credential Stealer | Cross-platform credential stealing framework delivered via compromised PHP packages |
Written by SCW Vulnerability Desk
Related coverage on
LiteSpeed cPanel Plugin CVE-2026-48172 Exploited, Root Access Granted
A critical vulnerability, CVE-2026-48172, in the LiteSpeed User-End cPanel Plugin is under active exploitation. The Hacker News reports this flaw carries a maximum CVSS score...
CISA Opens KEV Catalog to External Vulnerability Reports
The Cybersecurity and Infrastructure Security Agency (CISA) has launched a new nomination form, allowing external researchers, vendors, and industry partners to submit vulnerabilities for inclusion...
Ghostwriter Targets Ukraine Government with Prometheus Phishing
The Belarus-aligned threat actor, Ghostwriter (also tracked as UAC-0057 and UNC1151), is actively targeting Ukrainian government entities. According to The Hacker News, this group is...