A sophisticated supply-chain attack has targeted the PHP ecosystem, specifically impacting applications utilizing the popular Laravel-Lang localization packages. Attackers successfully compromised the repository of four widely used Laravel-Lang Composer packages, rewriting more than 700 historical Git tags to inject malicious code. This tactic, known as Git Tag Poisoning, subverts the trust model of package managers by altering the content associated with specific version tags. Consequently, any deployment or CI/CD pipeline running a composer update or installing a specific compromised tag is at risk of executing unverified, malicious code. Given the ubiquitous nature of these localization files in Laravel applications, the blast radius of this compromise is significant, requiring immediate defensive action.
Technical Analysis
Affected Products and Platforms:
- Platform: PHP (Laravel Framework)
- Package Manager: Composer
- Affected Packages:
laravel-lang/commonlaravel-lang/langlaravel-lang/attributeslaravel-lang/publisher
Attack Mechanism (Git Tag Poisoning):
The attackers gained unauthorized access to the project's Git repository. Instead of committing new code to the main branch, they utilized git push --force to overwrite existing Git tags (e.g., v1.0.0, v2.5.1). In Git, a tag is a pointer to a specific commit. By moving these pointers to new commits containing injected malware, the attackers tricked Composer into believing the malicious version was the legitimate release. When Composer resolves dependencies, it downloads the code referenced by the tag—now poisoned—rather than the original, benign code.
The Malware:
The poisoned packages inject malicious software during the installation process. This typically manifests via the post-install-cmd or post-update-cmd scripts in composer., or via the inclusion of obfuscated PHP backdoors within the translation files themselves. These mechanisms provide the attacker with a persistence mechanism and potential remote code execution (RCE) capabilities on the host server.
Exploitation Status: This is an active supply-chain compromise. Users pulling dependencies between the time of the tag poisoning and the remediation by maintainers are considered impacted. There is no CVE ID currently assigned, but the event is classified as a critical integrity failure.
Detection & Response
The following detection mechanisms focus on identifying the suspicious behavior associated with the compromise: Composer processes spawning unauthorized shells or network tools, and the presence of suspicious artifacts within the vendor directory.
SIGMA Rules
---
title: Suspicious Process Spawn by Composer
id: 92f1a4b0-3c5d-4e8f-9a1b-2c3d4e5f6a7b
status: experimental
description: Detects Composer (PHP) spawning shell or network utilities, indicative of a malicious post-install script execution.
references:
- https://securityaffairs.com/192697/security/malware-found-in-laravel-lang-composer-packages-after-git-tag-poisoning-attack.html
author: Security Arsenal
date: 2025/03/24
tags:
- attack.execution
- attack.t1204
- attack.supply_chain
logsource:
product: linux
category: process_creation
detection:
selection_parent:
ParentImage|endswith:
- '/php'
- '/composer.phar'
ParentCommandLine|contains:
- 'composer'
selection_child:
Image|endswith:
- '/sh'
- '/bash'
- '/curl'
- '/wget'
- '/nc'
- '/perl'
condition: selection_parent and selection_child
falsepositives:
- Legitimate build scripts that require system calls during composer install
level: high
---
title: Non-Standard File Creation in Laravel-Lang Vendor Directory
id: 8a2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects creation of non-PHP files (e.g., binaries, scripts) inside the laravel-lang vendor directory, a common tactic in supply chain dumps.
author: Security Arsenal
date: 2025/03/24
tags:
- attack.defense_evasion
- attack.t1564.001
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|contains:
- '/vendor/laravel-lang/'
TargetFilename|endswith:
- '.sh'
- '.so'
- '.exe'
- '.bin'
- '.run'
condition: selection
falsepositives:
- Unknown
level: critical
KQL (Microsoft Sentinel / Defender)
// Hunt for Composer processes spawning suspicious child processes
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("php", "composer.phar")
| where InitiatingProcessCommandLine contains "composer"
| where FileName in~ ("sh", "bash", "curl", "wget", "perl", "python3", "nc")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, FileName, CommandLine, FolderPath
| order by Timestamp desc
Velociraptor VQL
-- Hunt for suspicious PHP files in Laravel-Lang vendor directories
SELECT FullPath, Size, Mtime, Mode
FROM glob(globs="/*/vendor/laravel-lang/**/*.php")
WHERE Mtime > now() - 7d
-- Look for common obfuscation patterns in recently modified files
AND read_file(filename=FullPath, length=1024) =~ "base64_decode|eval\(|gzinflate|str_rot13|shell_exec"
Remediation Script (Bash)
#!/bin/bash
# Audit script for Laravel-Lang Git Tag Poisoning
# This script checks if affected packages are present and suggests remediation
echo "[*] Checking for affected Laravel-Lang packages in composer...."
if [ ! -f "composer." ]; then
echo "[!] composer. not found in current directory."
exit 1
fi
AFFECTED_PACKAGES=("laravel-lang/common" "laravel-lang/lang" "laravel-lang/attributes" "laravel-lang/publisher")
COMPROMISED=false
for pkg in "${AFFECTED_PACKAGES[@]}"; do
if grep -q "$pkg" composer.; then
echo "[!] Found affected package: $pkg"
COMPROMISED=true
fi
done
if [ "$COMPROMISED" = true ]; then
echo ""
echo "[!!] ACTION REQUIRED: Your application uses packages affected by the Git Tag Poisoning attack."
echo ""
echo "[*] Recommended Remediation Steps:"
echo "1. Remove the vendor directory and composer.lock to ensure a clean slate."
echo " rm -rf vendor/ composer.lock"
echo ""
echo "2. Update composer. to explicitly pin to a known safe commit hash or the latest patched version."
echo " Example format: \"laravel-lang/lang\": \"dev-master#<commit_hash>\""
echo ""
echo "3. Re-install dependencies:"
echo " composer install --no-interaction"
echo ""
echo "4. Verify the integrity of the installed git tags in vendor/laravel-lang/.git/refs/tags/ (if present)"
else
echo "[+] No affected packages found in composer.."
fi
Remediation
-
Identify Exposure: Audit your application's
composer.to determine if you utilize any of the four affected packages (laravel-lang/common,laravel-lang/lang,laravel-lang/attributes,laravel-lang/publisher). -
Force Re-installation (Immediate Mitigation): The maintainers have reset the tags to their correct, safe states. You must force Composer to re-download the correct content. bash rm -rf vendor/ composer.lock composer install --prefer-dist --no-interaction
n 3. Verification: After re-installation, verify the Git commit hashes for the installed packages. Ensure that the dates and commit messages align with the official project history and not the recent attack window.
-
Lock Dependencies: To prevent future recurrence of this specific attack vector, update your
composer.to pin thelaravel-langpackages to a specific commit hash rather than a floating version tag (e.g.,^5.0). This ensures that even if a tag is moved upstream, your environment will not pull the change without an explicit update. -
Scan for Artifacts: Run the provided VQL or search for recently modified
.phpfiles withinvendor/laravel-langthat contain obfuscated code (keywords:base64_decode,eval).
Official Advisory: Refer to the Laravel-Lang GitHub repository for the latest security announcements and commit history.
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.