Supply Chain Alert: Fake Laravel Packages Deliver Cross-Platform RAT

Security Arsenal researchers are tracking a critical supply chain threat targeting the PHP ecosystem.

In the modern development landscape, speed often trumps verification. Cybercriminals are exploiting this trust by planting malware directly within the open-source repositories developers rely on daily. Recently, cybersecurity researchers flagged a sophisticated campaign involving malicious packages on Packagist, the default package manager for PHP.

These packages masquerade as legitimate utilities for the popular Laravel framework but serve a far more sinister purpose: acting as a delivery mechanism for a Remote Access Trojan (RAT) that is fully functional across Windows, macOS, and Linux systems.

The Malicious Artifacts

The threat actor, utilizing the handle nhattuanbl, published three distinct packages designed to blend in with the thousands of legitimate libraries available to developers. While the download counts appear relatively low (ranging from 29 to 49 downloads at the time of discovery), the impact on compromised systems is severe.

The identified malicious packages include:

• nhattuanbl/lara-helper
• nhattuanbl/simple-queue
• nhattuanbl/lara-swagger

Deep-Dive Analysis

The Attack Vector

This incident is a classic example of a supply chain attack. Rather than exploiting a vulnerability in the web application code itself, the attacker targets the dependency lifecycle. By naming packages to resemble common helper tools—"helper", "queue", and "swagger"—the attacker entices developers into inadvertently incorporating malware into their projects or local environments.

Once a developer runs composer require for one of these packages, the payload executes. The malicious code is typically obfuscated within the package's source or autoloader, triggering immediately upon installation.

Cross-Platform Capabilities

What distinguishes this campaign from many others is the versatility of the payload. The RAT deployed by these packages is not limited to a single operating system. It is capable of:

1. OS Detection: Identifying whether the host is Windows, macOS, or Linux.
2. Payload Delivery: Downloading and executing the appropriate binary or script for the detected OS.
3. Remote Control: Establishing a reverse shell or C2 (Command and Control) connection, giving the attacker full control over the victim's machine.

TTPs and Impact

The Tactics, Techniques, and Procedures (TTPs) suggest a move towards platform-agnostic malware. For a web developer running a local environment on macOS but deploying to Linux, or a DevOps engineer managing Windows CI/CD pipelines, this threat ensures total coverage. Once the RAT gains a foothold, it can steal credentials, mine cryptocurrency, or move laterally to compromise internal production servers.

Detection and Threat Hunting

Defending against this requires identifying the presence of these specific packages within your environment and detecting anomalous behavior from PHP processes. Use the following queries and scripts to audit your systems.

Hunt for Malicious Packages in Composer Files

Bash Script: Use this script to scan your project directories for the presence of the malicious package names in composer..

grep -r "nhattuanbl/lara-helper\|nhattuanbl/simple-queue\|nhattuanbl/lara-swagger" /var/www/html --include="composer."


**PowerShell Script:**

For Windows environments, scan your development folders for these dependencies.

Get-ChildItem -Path "C:\Projects" -Filter "composer." -Recurse -ErrorAction SilentlyContinue | 
Select-String -Pattern "nhattuanbl/lara-(helper|simple-queue|swagger)" -List | 
Select-Object Path

EDR / Sentinel Queries

KQL (Microsoft Sentinel / Defender): Hunt for unusual process creation events where PHP is spawning network connections or shells, which may indicate the RAT is active.

DeviceProcessEvents
| where InitiatingProcessFileName has "php"
| where ProcessCommandLine contains "nhattuanbl" or 
   ProcessCommandLine contains "curl" or 
   ProcessCommandLine contains "wget"
| extend Timestamp = TimeGenerated, DeviceName = DeviceName, Account = AccountName
| project Timestamp, DeviceName, Account, InitiatingProcessCommandLine, ProcessCommandLine, FileName

Mitigation Strategies

To protect your organization from supply chain threats like the fake Laravel packages, implement the following actionable measures:

1. Immediate Audit: Run the scripts above immediately on all development and build servers to check for the presence of nhattuanbl packages. If found, remove the package directory from vendor/, sanitize composer. and composer.lock, and rotate any credentials stored on the infected machine.

2. Dependency Vetting: Never blindly install packages. Always check the download count, the release date, and the publisher's history. Be skeptical of packages with low download counts that claim to offer high-demand functionality.

3. Enable Static Application Security Testing (SAST): Integrate SAST tools into your CI/CD pipeline that can flag known malicious packages or suspicious code patterns (like obfuscated base64 strings) before deployment.

4. Lock Down Dependencies: Use composer.lock files to ensure exact version control, and regularly run composer audit to check for known security advisories in your installed packages.

5. Network Segmentation: Ensure development environments do not have unfettered access to the production network. A RAT on a developer's laptop should not be able to pivot to a production database.

Related Resources

Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub