Threats

Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer

A significant supply chain compromise of the Laravel-Lang PHP localization packages resulted in over 700 version tags being poisoned with credential-stealing malware over a two-day period from May 22-23, 2026. The attackers, having gained control of the maintainer account, backdated malicious tags to infect developers who pinned specific versions rather than pulling the latest. The injected malware harvested environment variables, database credentials, and cloud service tokens from compromised development and CI/CD environments. The attack's scope — spanning hundreds of version tags — made it particularly difficult for downstream consumers to identify which versions were safe. This incident underscores the critical importance of lockfile integrity verification and the insufficiency of version pinning as a sole supply chain defense when the upstream source itself is compromised.

View on Graph

Overview

  • A significant supply chain compromise of the Laravel-Lang PHP localization packages resulted in over 700 version tags being poisoned with credential-stealing malware over a two-day period from May 22-23, 2026.
  • The attackers, having gained control of the maintainer account, backdated malicious tags to infect developers who pinned specific versions rather than pulling the latest.
  • The injected malware harvested environment variables, database credentials, and cloud service tokens from compromised development and CI/CD environments.
  • The attack’s scope — spanning hundreds of version tags — made it particularly difficult for downstream consumers to identify which versions were safe.
  • This incident underscores the critical importance of lockfile integrity verification and the insufficiency of version pinning as a sole supply chain defense when the upstream source itself is compromised.

Sources