Hijacked GitHub – Attackers rewrote GitHub version tags across Laravel Lang localization repositories, causing Composer installs to pull a malicious dropper that steals cloud and developer secrets. Security firms say 233 or up to roughly 700 historical versions were affected, a
For a community of Laravel developers, the most unsettling part didn’t arrive as obvious malware or broken builds. It arrived as “legitimate” release tags.
On Friday. security firms StepSecurity. Aikido Security. and Socket warned that the Laravel Lang localization packages had become a supply-chain target. Attackers didn’t simply publish a brand-new malicious version and hope no one noticed. Instead, they abused GitHub version tags so that existing-looking releases would resolve to malicious commits.
The compromised packages include laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and possibly laravel-lang/actions. The Laravel Lang packages are third-party localization packages and are not part of the official Laravel project.
Aikido said attackers compromised 233 versions across three repositories, while Socket said roughly 700 historical versions may have been impacted.
What makes this campaign stand out is how quiet it was. StepSecurity explained that the project’s source code wasn’t modified to include malicious content in the obvious way. The attackers rewrote tags so they pointed to commits in forks of the same repository.
“Rather than publishing a new malicious version, the attacker rewrote every existing git tag in each repository to point at a new malicious commit,” StepSecurity said.
The rewrites began at 22:32 UTC against laravel-lang/lang. described as the flagship Laravel translations package with 502 tags. and finished by 00:00 UTC against laravel-lang/actions. StepSecurity also said all four repositories shared the same fake author identity. the same modified files. and the same payload behavior—an arrangement that points to one actor using one compromised credential with org wide push access.
From the outside, the releases looked normal. GitHub’s tags allowed the attacker to publish what appeared to be legitimate release markers for the project. but those tags led to malicious commits stored in an attacker-controlled fork. When developers installed the package via Composer. Composer downloaded the malicious code while the install appeared to be pulling the real Laravel Lang releases.
The malware that landed on developers’ systems wasn’t just a nuisance dropper. Researchers found that the malicious releases introduced a file named ‘src/helpers.php’, which was automatically loaded by Composer.
That helpers.php payload acted as a dropper. It then downloaded a second payload from the attackers’ command-and-control server at flipboxstudio[.]info.
The next PHP payload—identified by researchers through VirusTotal—was a large cross-platform credential stealer targeting Linux, macOS, and Windows. It harvests cloud credentials. Kubernetes secrets. Vault tokens. Git credentials. CI/CD secrets. SSH keys. browser data. cryptocurrency wallets. password managers. VPN configurations. and local `.env` configuration files.
Researchers also found regular expression patterns used to extract AWS keys, GitHub tokens, Slack tokens, Stripe secrets, database credentials, JWTs, SSH private keys, and cryptocurrency recovery phrases from files and environment variables.
On Windows systems, the payload took an extra step. It extracted a base64-encoded executable embedded within the file, wrote it to the %TEMP% folder with a random .exe filename, and launched it.
BleepingComputer’s analysis of the Windows infostealer says the executable is named ‘DebugElevator’. It targeted Chrome, Brave, and Edge to extract App-Bound Encryption keys needed to decrypt stored browser credentials.
The investigation also pointed to a possible AI-assisted touch during development. An embedded PDB path referenced the Windows account name ‘Mero’ and contained ‘claude,’ showing:
C:UsersMeroOneDriveDesktopstuffclaudeChromium-DebugElevatorx64ReleaseDebugChromium.pdb
Once the malware extracted sensitive data, researchers say it encrypted what it found and sent it back to the C2 server.
After the issue came to light, Aikido said it reported the incident to Packagist. Packagist responded quickly by removing the malicious versions and temporarily unlisting the affected packages to prevent additional installations.
For developers who installed Laravel Lang packages during the affected window, the advice is blunt. Review installed package versions, rotate exposed credentials, inspect systems for indicators of compromise, and—if possible—check for historical outbound connections to flipboxstudio[.]info.
Laravel Laravel Lang Composer supply chain attack GitHub tags credential stealing malware Packagist flipboxstudio[.]info DebugElevator cloud credentials CI/CD secrets
So they just changed tags and that makes Composer steal stuff? That seems wild, I thought tags were basically harmless.
Every time I hear “supply chain” it’s like… okay so who thought it was a good idea to trust random GitHub tags from strangers. I guess update everything and pray? Also 700 versions??
Wait, wasn’t Laravel hacked like last year already? Sounds like they used the “release” button or something to sneak malware in, but it’s confusing cuz it says composer installs pull a dropper. Dropper like a gun? lol
This is why I don’t even use localization packages, I just hardcode everything in English. If they rewrote tags, then how does GitHub even detect that? “legitimate release tags” is the part that freaks me out, like it looks normal until it doesn’t. Also all same fake author identity… makes me think GitHub let it sit there too long.