Laravel-Lang PHP Packages Hit by Credential Stealer

Laravel-Lang PHP Packages Compromised in Supply Chain Attack

The Laravel-Lang PHP packages have been compromised to deliver a cross-platform credential stealer, marking another serious supply chain attack targeting PHP developers. If your Laravel project pulls in any of the Laravel-Lang localization packages, you need to act now. Supply chain attacks through package repositories are brutally effective because developers trust these dependencies implicitly, and malicious code runs with full application privileges the moment it lands in your vendor directory.

The attack specifically targets the Laravel ecosystem, which powers a significant portion of PHP web applications globally. Because Laravel-Lang packages handle localization and are pulled into projects at the Composer level, the compromise affects any application that installed or updated affected versions during the window when the malicious code was live.

How the Credential Stealer Works

The malicious payload embedded in the compromised packages operates across platforms, meaning it runs on Linux, Windows, and macOS environments. This is not a single-OS problem. The stealer is designed to harvest credentials stored locally, targeting browser-saved passwords, application tokens, environment variables, and potentially SSH keys or database credentials sitting in .env files.

When Composer installs or updates a package, any code in that package executes with the same permissions as your application or build process. Attackers exploit this by injecting code into package autoloaders or service providers that silently exfiltrate credentials. Because the malicious code lives inside a legitimate, trusted package, most static analysis tools and firewalls won't catch the outbound request before it's too late.

The cross-platform nature of the stealer suggests the threat actors are targeting CI/CD pipelines just as much as developer workstations. Build servers often have elevated access to deployment credentials, cloud provider tokens, and API keys. Compromising those environments can give attackers persistent access far beyond a single application.

What's at Risk for PHP Developers

Your .env file is the obvious target. Laravel applications store database credentials, API keys, mail server passwords, and third-party service tokens there by default. A successful credential stealer run against a build environment could expose all of those in a single shot.

Beyond .env files, persistent session tokens, OAuth credentials, and any secrets loaded into environment variables at runtime are all fair game. If your CI/CD runner has cloud IAM credentials mounted, those are at risk too. The blast radius here extends well past the application itself.

How to Protect Your Laravel Application

First, audit your Composer lock file immediately. Check which version of any Laravel-Lang package is installed and compare it against the official repository to verify package integrity. Run composer show to list installed versions and cross-reference with known-good hashes.

Rotate all credentials that may have been exposed. That means database passwords, API keys, cloud access tokens, and any secrets stored in .env or CI/CD environment variables. Do not wait to confirm compromise before rotating. Treat it as assumed breach.

Pin your package versions explicitly in composer.json and enable Composer's --no-scripts flag in production builds to prevent arbitrary scripts from running on install. Add checksum verification to your pipeline using tools like Phive or Composer's built-in hash verification.

Run a full automated scan of your web application to identify any indicators of compromise or unexpected outbound connections introduced by the affected packages.

Review your CI/CD pipeline permissions. Build servers should not have broader credential access than they absolutely need. Scope IAM roles tightly and rotate tokens on a schedule.

Frequently Asked Questions

How do I know if my project installed the compromised Laravel-Lang package version? Check your composer.lock file for the exact installed version and compare the package hash against the official Packagist listing. If hashes don't match or you installed during the compromise window, assume exposure.

Does running composer update fix the problem? Updating will replace the compromised package with a clean version, but it does not undo any credential theft that already occurred. Rotate all secrets regardless.

Can this attack affect Docker-based Laravel deployments? Yes. If the compromised package was pulled during a Docker image build, the stealer could have run inside the build context, with access to any secrets mounted or baked into that environment.

Scan your Laravel application for vulnerabilities and supply chain risks at VibeWShield.