Laravel Lang Supply Chain Attack: Detecting Malicious Composer Packages and Credential Theft

A critical supply chain attack has unfolded within the Laravel ecosystem, specifically targeting the widely used laravel-lang localization packages. Attackers successfully abused GitHub version tags to distribute malicious code through Composer, the standard PHP dependency manager. This campaign is not merely a nuisance; it is an active, sophisticated operation designed to steal developer credentials, API keys, and potentially deploy secondary payloads.

Defenders must act immediately. This attack bypasses traditional perimeter defenses by compromising a trusted upstream dependency. If your organization utilizes Laravel and runs composer update or composer install without strict verification, your environment may be currently compromised.

Technical Analysis

• Affected Products: laravel-lang/common, laravel-lang/publisher, laravel-lang/status, and potentially related localization packages.
• Affected Platforms: Any Linux, Windows, or macOS environment running PHP and utilizing Composer to manage dependencies.
• Attack Vector: Dependency Confusion / Account Hijacking. Attackers compromised the official GitHub repositories or release workflows and pushed new version tags (e.g., v5.0.0) containing malicious code.
• Mechanism: The malicious packages include modified composer. scripts (specifically post-install-cmd or post-autoload-dump) that trigger upon package installation. This script executes obfuscated PHP code, often utilizing base64_decode and eval, to fetch a second-stage payload from a remote Command & Control (C2) server.
• Payload & Impact: The primary objective is credential theft. The malware scans for environment files (.env), Git configuration (/.git/config), and other secrets, exfiltrating them to the attacker's server. In some variants, the malware establishes persistence, allowing for further lateral movement or ransomware deployment.
• Exploitation Status: Confirmed active exploitation. Malicious packages were available in the public Composer repository for a limited window before being identified.

Detection & Response

SIGMA Rules

---
title: Laravel Lang Malicious Composer Package Execution
id: 7c8f0b2e-1d3a-4e5b-9a6c-7d8e9f0a1b2c
status: experimental
description: Detects potential execution of malicious code injected via compromised Laravel Lang packages. Attackers use composer scripts to execute obfuscated PHP code.
references:
  - https://www.bleepingcomputer.com/news/security/laravel-lang-packages-hijacked-to-deploy-credential-stealing-malware/
author: Security Arsenal
date: 2025/01/27
tags:
  - attack.initial_access
  - attack.t1195.002
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|endswith: '/composer'
    Image|endswith: '/php'
    CommandLine|contains:
      - 'eval'
      - 'base64_decode'
falsepositives:
  - Legitimate dependency build scripts using eval (rare)
level: high
---
title: Laravel Lang Vendor Directory File Creation
id: 8d9e1c3f-2e4b-5f6c-0b7d-8e9f0a1b2c3d
status: experimental
description: Detects creation of executables or scripts within the laravel-lang vendor directory, a common TTP in this supply chain attack.
references:
  - https://www.bleepingcomputer.com/news/security/laravel-lang-packages-hijacked-to-deploy-credential-stealing-malware/
author: Security Arsenal
date: 2025/01/27
tags:
  - attack.persistence
  - attack.t1505.003
logsource:
  category: file_event
  product: linux
detection:
  selection:
    TargetFilename|contains: '/vendor/laravel-lang/'
    TargetFilename|endswith:
      - '.php'
      - '.sh'
falsepositives:
  - Legitimate package updates by developers
level: medium

KQL (Microsoft Sentinel)

DeviceProcessEvents
| where InitiatingProcessFileName =~ "composer.phar" or InitiatingProcessFileName =~ "composer"
| where ProcessVersionInfoOriginalFileName =~ "php.exe" or FileName =~ "php"
| where ProcessCommandLine has "eval" or ProcessCommandLine has "base64"
| extend AccountName = InitiatingProcessAccountName, DeviceName = DeviceName
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, FileName

Velociraptor VQL

-- Hunt for recent file modifications in Laravel Lang vendor directories
SELECT FullPath, Size, Mtime, Mode
FROM glob(globs='/*/vendor/laravel-lang/**/*.php')
WHERE Mtime > now() - 24h

Remediation Script (Bash)

#!/bin/bash
# Remediation script for Laravel Lang Supply Chain Attack
# Check composer.lock for affected packages

echo "[*] Checking for known malicious Laravel Lang package versions..."

# List current versions of laravel-lang packages
composer show --locked | grep "laravel-lang"

echo "[*] Action Required:"
echo "1. If versions include v5.0.0 or other suspicious recent tags (refer to vendor advisory):"
echo "   - Run 'composer remove laravel-lang/common laravel-lang/publisher laravel-lang/status'"
echo "   - Run 'composer require laravel-lang/common laravel-lang/publisher laravel-lang/status'"
echo "2. Rotate all application credentials (API keys, DB passwords, secrets)."
echo "3. Rotate GitHub/Composer tokens if stored in .env."

Remediation

1. Immediate Inventory: Identify all systems running Laravel applications and check the composer.lock file for any laravel-lang/* packages.
2. Package Removal: If you have installed versions released during the compromise window (specifically tags abused by attackers, such as v5.0.0), immediately remove the compromised packages and revert to a known safe commit hash or the latest patched release.
   • Command: composer remove laravel-lang/common laravel-lang/publisher laravel-lang/status
   • Command: composer require laravel-lang/common laravel-lang/publisher laravel-lang/status (to pull the clean version).
3. Credential Rotation: Assume compromise. Rotate all secrets found in .env files, database credentials, AWS/GCP/Azure access keys, and any OAuth tokens stored in the repository.
4. Audit Composer Scripts: Review composer. in your project root and all dependencies for suspicious post-install-cmd, post-update-cmd, or post-autoload-dump scripts.
5. Lock Down Dependencies: Implement composer.lock file checking in your CI/CD pipeline. Ensure the hash of the lock file matches the committed version to prevent silent supply chain injections during builds.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub