Laravel-Lang Supply Chain Attack: Detecting and Remediating Malicious Credential Stealer Packages

Introduction

The open-source ecosystem faced a severe supply chain compromise with the revelation that popular laravel-lang PHP packages were hijacked to distribute a cross-platform credential stealer. As a fundamental dependency for Laravel localization used by thousands of developers, this breach allows attackers to exfiltrate environment variables (.env), SSH keys, and browser credentials simply by executing a standard composer update.

For defenders, this is not merely a vulnerability to patch; it is an active intrusion scenario. If your build pipelines or development environments pulled these specific versions between the compromise window and remediation, assume that secrets have been harvested. Immediate containment, credential rotation, and forensic analysis of build artifacts are mandatory.

Technical Analysis

Affected Products & Versions: The compromise specifically targeted the following packages via the Packagist repository:

laravel-lang/common: Versions 5.0.0 (Malicious) / 5.0.1 (Clean)
laravel-lang/lang: Versions 13.0.0 (Malicious) / 13.0.1 (Clean)
laravel-lang/publisher: Versions 14.0.0 (Malicious) / 14.0.1 (Clean)

Attack Chain & Exploitation:

Initial Compromise: Attackers gained unauthorized access to the maintainer's account or Git tokens, allowing them to push new tagged versions to the repository.
Payload Injection: The malicious versions included a modified composer. containing a malicious post-update-cmd script or obfuscated PHP code within the library files.
Execution: Upon running composer update or composer install, the malicious script triggered. It decoded a Base64 payload and dropped a cross-platform binary (identified in analysis as a Go-based infostealer) tailored for the host OS (Linux, Windows, macOS).
Exfiltration: The binary scanned the filesystem for high-value targets:
- Application .env files (database credentials, API keys).
- ~/.ssh/ directories (private keys).
- Browser credential stores (Chrome/Firefox cookies and passwords).
- Data was exfiltrated to a hardcoded Command & Control (C2) server via HTTPS.

Exploitation Status: Confirmed active exploitation in the wild. The malicious packages were available for download for approximately 48 hours before being removed. CISA has not yet added this to KEV, but it is expected given the severity.

Detection & Response

The following detection mechanisms focus on identifying the execution of the malicious composer scripts and the subsequent behavior of the credential stealer.

Sigma Rules

YAML

---
title: Suspicious Process Spawn from Composer Post-Install Script
id: 8a4b2c1d-9e3f-4a5b-8c6d-1e2f3a4b5c6d
status: experimental
description: Detects PHP or Composer spawning an unsigned or unexpected binary process, indicative of the Laravel-Lang supply chain attack executing a payload.
references:
  - https://thehackernews.com/2026/05/laravel-lang-php-packages-compromised.html
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.execution
  - attack.t1204
  - attack.supply_chain
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\php.exe'
      - '\composer.phar'
      - '\composer.bat'
  selection_child:
    Image|endswith:
      - '.exe'
      - '.dll'
    Image|notcontains:
      - '\vendor\bin\'
      - 'C:\Program Files\'
      - 'C:\PHP\'
  condition: selection_parent and selection_child
falsepositives:
  - Legitimate composer scripts executing project binaries (rare)
level: high
---
title: Linux Composer Spawning Shell or Network Tools
id: 9b5c3d2e-0f4a-5b6c-9d7e-2f3a4b5c6d7e
status: experimental
description: Detects Composer or PHP on Linux spawning a shell (bash/sh) or making direct network connections, often associated with malicious post-update scripts in supply chain attacks.
references:
  - https://thehackernews.com/2026/05/laravel-lang-php-packages-compromised.html
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection_parent:
    ParentProcessName|endswith:
      - 'php'
      - 'composer.phar'
  selection_child:
    Image|endswith:
      - '/bash'
      - '/sh'
      - '/curl'
      - '/wget'
      - '/nc'
  condition: selection_parent and selection_child
falsepositives:
  - Developer manually running shell commands via composer scripts (verify with user)
level: high
---
title: Unauthorized Access to .env Files
id: 0c6d4e3f-1g5b-6c7d-0e8f-3g4h5i6j7k8l
status: experimental
description: Detects processes other than the web server or CLI tools reading Laravel .env files, a behavior consistent with the credential stealer payload.
references:
  - https://thehackernews.com/2026/05/laravel-lang-php-packages-compromised.html
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.collection
  - attack.t1005
logsource:
  category: file_access
  product: windows
detection:
  selection:
    TargetFilename|contains: '.env'
    Image|notcontains:
      - 'apache'
      - 'nginx'
      - 'php-cgi'
      - 'php-fpm'
      - 'artisan'
  condition: selection
falsepositives:
  - Developers or IDEs opening configuration files
level: medium


**KQL (Microsoft Sentinel / Defender)**

KQL — Microsoft Sentinel / Defender

// Hunt for suspicious process lineage related to Composer
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName has_any ("php", "composer") 
| where FileName !in_ ("conhost.exe", "cmd.exe", "powershell.exe", "bash", "sh")
| where ProcessCommandLine !contains "vendor/bin" 
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc


// Hunt for network connections from PHP/Composer processes (unusual)
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName has_any ("php.exe", "php", "composer.phar")
| where RemotePort != 443 // Exclude standard dependency repo traffic if needed, or whitelist specific packagist IPs
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc


**Velociraptor VQL**

VQL — Velociraptor

-- Hunt for the presence of the malicious laravel-lang versions in composer.lock
SELECT FullPath, Mtime
FROM glob(globs='**/composer.lock')
WHERE read_file(filename=FullPath) =~ 'laravel-lang/common.*5.0.0'
   OR read_file(filename=FullPath) =~ 'laravel-lang/lang.*13.0.0'
   OR read_file(filename=FullPath) =~ 'laravel-lang/publisher.*14.0.0'


-- Hunt for suspicious processes spawned by PHP or Composer that are not typical web server children
SELECT Pid, Ppid, Name, Exe, CommandLine, Username
FROM pslist()
WHERE Exe =~ 'php' OR Name =~ 'composer'
  AND Pid IN (
    SELECT Ppid FROM pslist() 
    WHERE Name NOT IN ('nginx', 'apache2', 'httpd', 'php-fpm', 'sh', 'bash')
    AND Exe NOT =~ '/vendor/bin/'
  )


**Remediation Script (Bash)**

Bash / Shell

#!/bin/bash

# Remediation Script for Laravel-Lang Supply Chain Compromise
# Author: Security Arsenal
# Description: Scans composer.lock for malicious versions and forces update to clean versions.

MALICIOUS_VERSIONS=(
    "laravel-lang/common:v5.0.0"
    "laravel-lang/lang:v13.0.0"
    "laravel-lang/publisher:v14.0.0"
)

FOUND_FLAG=0

if [ ! -f "composer.lock" ]; then
    echo "[!] composer.lock not found in current directory."
    exit 1
fi

echo "[*] Scanning composer.lock for known malicious package versions..."

for pkg in "${MALICIOUS_VERSIONS[@]}"; do
    if grep -q "$pkg" composer.lock; then
        echo "[!!!] MALICIOUS PACKAGE DETECTED: $pkg"
        FOUND_FLAG=1
    fi
done

if [ $FOUND_FLAG -eq 1 ]; then
    echo "[+] Malicious packages found. Initiating remediation..."
    
    # Backup current state
    cp composer. composer..bak
    cp composer.lock composer.lock.bak
    
    echo "[*] Removing malicious packages..."
    composer remove laravel-lang/common laravel-lang/lang laravel-lang/publisher --no-interaction
    
    echo "[*] Installing clean versions..."
    composer require laravel-lang/common:5.0.1 laravel-lang/lang:13.0.1 laravel-lang/publisher:14.0.1 --no-interaction
    
    echo "[*] Verifying clean installation..."
    # Re-scan logic could go here
    
    echo "[!!!] CRITICAL: ROTATE ALL CREDENTIALS IN .env FILE IMMEDIATELY!"
    echo "[+] Remediation complete."
else
    echo "[+] No malicious package versions found in composer.lock."
fi

Remediation

1. Immediate Patching

SQL

Update the affected packages to the latest patched versions immediately using Composer:

Bash / Shell

composer update laravel-lang/common laravel-lang/lang laravel-lang/publisher

Ensure versions are at least:
*   `laravel-lang/common` > **5.0.0**
*   `laravel-lang/lang` > **13.0.0**
*   `laravel-lang/publisher` > **14.0.0**

**2. Credential Rotation**
Assume breach. The cross-platform stealer specifically targets `.env` files and SSH keys. You must rotate:
*   All database passwords.
*   API keys (AWS, Azure, Stripe, etc.).
*   Application secrets (APP_KEY).
*   SSH keys used for deployment or access to the infrastructure.
*   Third-party service credentials found in environment configuration.

**3. Audit CI/CD Pipelines**

Check your build artifacts and container images. If a pipeline pulled the malicious version during the compromise window, the resulting artifacts are poisoned. You must rebuild all applications from scratch using the clean dependencies.

4. Developer Workstation Hygiene The malware persists on the host machine. Run a full endpoint scan (EDR) on developer workstations and build servers that executed composer update during the affected timeframe to remove the dropped credential stealer binary.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub