Skip to content
Tech News
← Back to articles

Laravel Lang packages hijacked to deploy credential-stealing malware

2026-05-23 | original
read original get Laravel Security Patch Kit → more articles
Why This Matters

The hijacking of Laravel Lang packages highlights a sophisticated supply chain attack that exploited GitHub's tagging system to distribute credential-stealing malware. This incident underscores the importance of securing third-party dependencies and monitoring for malicious activity in open-source ecosystems, as such breaches can compromise developer environments and end-user data. It serves as a reminder for the tech industry and consumers to implement robust security practices around package management and source code integrity.

Key Takeaways

A supply chain attack targeting the Laravel Lang localization packages has exposed developers to a sophisticated credential-stealing malware campaign after attackers abused GitHub version tags to distribute malicious code through Composer packages.

Security firms StepSecurity, Aikido Security, and Socket warned about the compromise on Friday, warning that attackers had rewritten GitHub tags across four repositories maintained by the Laravel Lang organization rather than publishing entirely new malicious versions.

The affected packages include laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and possibly laravel-lang/actions. The Laravel Lang packages are third-party localization packages and are not part of the official Laravel project.

According to Aikido, the attackers compromised 233 versions across three repositories, while Socket said roughly 700 historical versions may have been impacted.

What made the attack stand out is that the actual project's source code was not modified to include malicious code, but instead the attackers abused a GitHub feature that allows tags to point to commits in forks of the same repository.

"Rather than publishing a new malicious version, the attacker rewrote every existing git tag in each repository to point at a new malicious commit," explained StepSecurity.

"The rewrites started at 22:32 UTC against laravel-lang/lang (the flagship Laravel translations package, with 502 tags) and finished by 00:00 UTC against laravel-lang/actions. All four repositories share the same fake author identity, the same modified files, and the same payload behavior, which makes them almost certainly the work of one actor using one compromised credential with org wide push access."

This allowed the attackers to publish what appeared to be legitimate release tags for the project, which actually led to malicious commits stored in an attacker-controlled fork of the repository.

When developers installed the package via Composer, it would download the malicious code while it appeared to install legitimate Laravel Lang releases.

Executes a credential-stealer

... continue reading

Explore topics: laravel github composer malware localization
Related:
The FBI Wants 'Near Real-Time' Access to US License Plate Readers
The FBI Wants ‘Near Real-Time’ Access to US License Plate Readers
Microsoft reports AI is more expensive than paying human employees
I was bored so I turned my dev tools into an alien planet ruled by my dog
Apple shares iPhone and Mac post-quantum cryptography code on GitHub

© 2026 GoKawiil

About | Editorial Policy | Contact