An attacker obtained push access to the Laravel-Lang GitHub organisation and, in a window of under 90 minutes on 22–23 May 2026, rewrote git tags across multiple popular PHP Composer packages to point at malicious commits in attacker-controlled forks. The poisoned packages — laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions — are localisation libraries used across a significant portion of PHP-based enterprise web applications. More than 230 package versions were compromised, with researchers estimating up to 700 historical versions affected based on how Packagist resolves GitHub tags.
The Mechanism
The attacker exploited a gap between how GitHub handles tag ownership and how Packagist (PHP’s primary package registry) resolves version references. When a Composer package is installed, Packagist fetches the corresponding git tag from GitHub — but it does not cryptographically verify that the tag points to a commit in the canonical repository. By rewriting tags to reference commits in an attacker-controlled fork, the malicious payload was silently substituted for legitimate code in any build that fetched an affected version during the attack window.
The injected file, src/helpers.php, functioned as a dropper. On inclusion — which happens automatically via Composer’s autoloader — it contacted flipboxstudio[.]info to retrieve the main payload: a roughly 5,900-line PHP credential-stealer, structured across fifteen specialised collection modules and encrypted at exfiltration with AES-256.
Credential Targeting at CI/CD Scale
The payload is notable for its breadth and its specific targeting of cloud and pipeline credentials. Harvested secrets include AWS access keys, secret keys, and session tokens; GCP application default credentials; Azure access tokens; Kubernetes secrets; HashiCorp Vault tokens; CI/CD pipeline environment variables (including GitHub Actions, GitLab CI, and CircleCI tokens); SSH private keys; and Git credential stores. The stealer also harvested saved passwords from seventeen Chromium-based browsers and targeted cryptocurrency wallet seed phrases.
The focus on CI/CD secrets is operationally significant. Build pipelines commonly hold credentials with broad permissions — often production deployment rights, cloud account access, and repository write access — and they load .env files that aggregate secrets from across an application stack. A developer workstation running composer install inside a CI job is therefore a far higher-value target than the same action on a personal machine.
What This Means for Affected Sectors
Any organisation running PHP-based applications — prevalent across financial services, insurance, e-commerce, and public sector web infrastructure — should assess exposure. The attack occurred during a period when automated dependency update tools (Dependabot, Renovate) may have silently pulled affected versions without human review. Organisations whose CI pipelines use composer install against affected packages during the 22–23 May window should treat their cloud credentials as potentially compromised.
The broader implication is a pattern: attackers are increasingly targeting package registries and their upstream supply chains as a route to cloud credentials at scale, bypassing the hardened perimeters of cloud providers themselves. This campaign follows similar attacks against npm, PyPI, and RubyGems over the past eighteen months, confirming that Composer and the PHP ecosystem are not exempt.
Recommended Actions
Organisations should immediately query their dependency lock files (composer.lock) and build logs for references to the affected packages (laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, laravel-lang/actions). Any build that resolved these packages on 22–23 May 2026 should be treated as compromised.
Credential rotation is the priority response: all AWS, GCP, and Azure credentials present in the build environment should be rotated regardless of whether exfiltration is confirmed. CI/CD pipeline tokens, SSH keys, and database credentials accessible via .env files in the build context should be included in the rotation scope.
Organisations should block outbound connections to flipboxstudio[.]info and inspect egress logs for historical connections to that domain. Packagist has removed the affected versions and temporarily unlisted the packages; rebuilds using current package versions should be clean, but build caches and container image layers from the attack window may retain malicious code.