Laravel-Lang Composer Packages Backdoored via GitHub Tag Rewrite; 700+ Versions Deliver CI/CD Credential Stealer

On May 22, 2026 at 22:32 UTC, an attacker with org-level push access to the Laravel-Lang GitHub organization rewrote every git tag across four widely-used PHP localization packages (laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, laravel-lang/actions) within a 15-minute window, redirecting all tags to commits in an attacker-controlled fork — without touching any source files visible in the repo UI. The injected src/helpers.php dropper auto-loaded by Composer on every PHP request, fingerprinted the host, reached out to C2 domain flipboxstudio[.]info, and dropped a ~5,900-line cross-platform credential stealer targeting AWS keys, GCP service account JSONs, Azure credentials, Kubernetes/Vault tokens, GitHub tokens, SSH keys, .env files, browser-stored passwords, and cryptocurrency wallet recovery phrases. Packagist removed the malicious versions on May 23; any environment that ran composer install or composer update during the ~15-hour window should be treated as fully compromised and all secrets rotated immediately — this attack is one of four distinct supply-chain campaigns hitting npm, PyPI, and Composer in an 11-day window in May.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the critical severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.