Pierluigi Paganini
May 26, 2026
Hackers compromised four popular Laravel-Lang Composer packages and injected malware by rewriting more than 700 Git tags tied to historical versions. Laravel-Lang is a community-driven project that provides translation and localization files for Laravel applications. The affected libraries, used for localization in Laravel applications, include laravel-lang/lang, http-statuses, attributes, and actions.
Socket researchers say the attackers likely breached the organization’s release process rather than a single package. The experts discovered the attack on May 22–23 and speculate it may have impacted applications that updated or freshly installed the packages.
“The affected packages are not part of the official Laravel framework. They are third-party localization packages used by Laravel applications. However, applications that installed compromised versions may have executed the backdoor automatically when Composer’s autoloader ran.” reads the report published by Socket. “Newly observed tag activity suggests the compromise was not isolated to a single package. Recently published tags appeared across multiple repositories in the same GitHub organization, including Laravel-Lang/lang, Laravel-Lang/http-statuses, Laravel-Lang/attributes, and Laravel-Lang/actions. The tags were published in rapid succession on May 22 and May 23, 2026, with many versions appearing only seconds apart.”
Aikido Security experts also investigated the incident; they linked the attack to a broader breach of the organization’s release infrastructure after attackers rapidly republished hundreds of historical tags across multiple repositories.
According to Aikido, the attacker abused GitHub’s tagging system by pointing official version tags to commits in a malicious fork, without ever changing the original repository code.
“What makes this particularly sneaky is that the malicious code was never committed to the official repos at all. GitHub allows version tags to point to commits from a fork of the same repository.” reads the report by Aikido. “The attacker exploited this to create tags pointed to commits in a malicious fork they controlled.”
The malware contacted a remote server, downloaded a second-stage payload, stored it in a hidden temporary directory, and executed it on both Unix and Windows systems. Attackers also hid the command-and-control domain using obfuscation techniques and disabled TLS verification to ensure payload delivery.
“The script generates a unique per-host marker (an MD5 hash combining the directory path, system architecture, and inode) to ensure the payload only triggers once per machine. This prevents redundant executions and helps the malware remain undetected after the initial run.” continues the report.
The malware is a cross-platform PHP information stealer delivered as a second-stage payload. It connects to a hardcoded C2 server, encrypts stolen data, and uses multiple “collector” modules to extract sensitive information from the infected systems. The malicious code targets cloud credentials (AWS, Azure, GCP), Kubernetes, CI/CD systems, cryptocurrency wallets, browsers, password managers, VPNs, email clients, and system files across Linux, Windows, and macOS. The malware also abuses metadata services, decrypts browser data using embedded tools, and harvests secrets from processes, environment variables, and configuration files before exfiltrating everything to its operator.
Teams using affected Laravel-Lang packages should assume compromise, not just exposure. They should check composer.lock for affected packages and block them until clean versions are confirmed. Because the malware steals cloud, Kubernetes, CI/CD, browser, password manager, VPN, SSH, and application secrets, teams must rotate all credentials on impacted hosts, containers, and CI runners. This includes cloud keys, tokens, API keys, Git credentials, and database secrets. Organizations should rebuild systems from trusted images and preserve logs, artifacts, and audit data for investigation before cleanup.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
