EXECUTIVE SUMMARY
A supply chain attack has been detected targeting Laravel-Lang packages, allowing attackers to inject credential-stealing code that loads automatically via composer's autoloader feature. The malware, known as a dropper, is published across three widely used repositories, including Laravel-Lang/lang, Laravel-Lang/attributes, and Laravel-Lang/http-statuses. The attackers' goal is to steal sensitive information, including cloud credentials, infrastructure secrets, and developer credentials, ultimately leading to data theft and disruption. The targeted sectors include software development, cloud services, and e-commerce, with a focus on organisations that rely on Laravel-Lang packages.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A supply chain attack has been detected targeting Laravel-Lang packages, allowing attackers to inject credential-stealing code that loads automatically via composer's autoloader feature. The malware, known as a dropper, is published across three widely used repositories, including Laravel-Lang/lang, Laravel-Lang/attributes, and Laravel-Lang/http-statuses. The attackers' goal is to steal sensitive information, including cloud credentials, infrastructure secrets, and developer credentials, ultimately leading to data theft and disruption. The targeted sectors include software development, cloud services, and e-commerce, with a focus on organisations that rely on Laravel-Lang packages.[emaillocker id="1283"]
The attack chain begins with the dropper, a file called src/helpers.php, which is introduced into the affected version tags. The dropper fingerprints the host using a hash of the file path, hostname, and inode, then writes a marker file to the system temp directory. It then fetches a payload from a C2 domain, flipboxstudio.info, using file_get_contents with a curl fallback, both with SSL verification disabled. On Windows, it drops a .vbs launcher and runs the payload silently via cscript. On Linux and macOS, it executes the payload in the background via exec(). The payload is a credential stealer that collects sensitive information, encrypts the results with AES-256, and sends them to the C2 domain.
This threat is significant for organisations that rely on Laravel-Lang packages, as it can lead to data theft, disruption, and reputational damage. The malware's ability to evade detection and its complex attack chain make it challenging to detect and recover from. Organisations should take immediate action to protect themselves by patching their systems, monitoring for suspicious activity, and ensuring that they have up-to-date backups. Endpoint protection, including monitoring and real-time threat detection, is also essential to prevent the spread of this malware.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| Execution | T1059.005 | Command and Scripting Interpreter | Visual Basic |
| Execution | T1059.004 | Command and Scripting Interpreter | Unix Shell |
| Defense Evasion | T1027.005 | Obfuscated Files or Information | Indicator Removal from Tools |
| Defense Evasion | T1070.004 | Indicator Removal | File Deletion |
| Credential Access | T1552.001 | Unsecured Credentials | Credentials In Files |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Credential Access | T1555.001 | Credentials from Password Stores | Keychain |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/laravel-lang-packages-compromised/
https://www.aikido.dev/blog/supply-chain-attack-targets-laravel-lang-packages-with-credential-stealer