Laravel-Lang Composer Packages Compromised via Tag-Rewrite Attack — 700+ Malicious Versions Deploy Cross-Platform Credential Stealer Targeting Cloud Keys, CI Tokens, and Crypto Wallets

On May 22–23, 2026, a threat actor with org-level push access to the Laravel-Lang GitHub organization rewrote every existing git tag across four widely-used Composer packages (laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, laravel-lang/actions) to point to attacker-controlled malicious forks — producing over 700 poisoned versions with no safe pin remaining. The injected src/helpers.php dropper auto-executed via Composer's autoload.files directive on every PHP request, beaconing to flipboxstudio[.]info to download a 15-module cross-platform credential stealer that targets AWS/GCP/Azure keys, Kubernetes and Vault secrets, CI/CD tokens, SSH keys, browser passwords, and cryptocurrency wallets, then deletes itself to hamper forensics. Any Laravel or Symfony project that ran composer install or composer update after 2026-05-22 22:32 UTC against the affected packages should treat all accessible secrets as compromised and rotate immediately.

Any Laravel or Symfony project that ran composer install or composer update after 2026-05-22 22:32 UTC against the affected packages should treat all accessible secrets as compromised and rotate immediately.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the critical severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.