Laravel-Lang Composer Packages Fully Compromised: 700+ Historical Versions Backdoored with Cross-Platform Credential Stealer via Forked GitHub Tag Poisoning

On May 22–23, 2026, an attacker with org-level push access to the Laravel-Lang GitHub organization rewrote every git tag across four widely used PHP localization packages (laravel-lang/lang, http-statuses, attributes, actions) within a 15-minute window, exploiting GitHub's ability to point tags at commits from attacker-controlled forks — meaning no malicious code ever appeared in the official repos. The injected src/helpers.php, auto-loaded on every PHP request via Composer's autoload.files directive, deploys a 5,900-line, 17-module credential stealer targeting AWS/GCP/Azure keys, Kubernetes service account tokens, HashiCorp Vault secrets, CI/CD pipeline credentials, SSH keys, browser password databases, and crypto wallets, exfiltrating AES-256-encrypted data to flipboxstudio[.]info before self-deleting. Any host that resolved the affected packages between May 22–23 should be treated as fully compromised — rotate all secrets accessible to the PHP process immediately, as no published version number can be trusted since the attacker rewrote historical tags.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the critical severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.