Laravel-Lang Composer Tag Rewrite RCE Compromise

Executive Summary

Laravel-Lang packages were compromised through rewritten Git tags, causing Composer installs that trusted historical version tags to resolve to malicious commits. StepSecurity confirmed four affected repositories and specific tag rewrite windows beginning on 2026-05-22, while Socket reported broader Laravel-Lang impact across roughly 700+ historical package versions StepSecurity Socket.

The malicious commits added src/helpers.php and registered it through Composer autoload.files, so execution occurred when a PHP application loaded vendor/autoload.php. Hosts or CI runners that installed affected tags should be treated as potentially compromised because the payload fetched second-stage code, dropped temporary loaders under /tmp, and targeted local secrets and CI/cloud credentials StepSecurity Socket.

Key Facts

threat_type: "Composer package tag rewrite and RCE backdoor"
ecosystem: "Composer"
registry: "Packagist"
affected_packages:
  - "laravel-lang/lang"
  - "laravel-lang/http-statuses"
  - "laravel-lang/actions"
  - "laravel-lang/attributes"
  - "additional Laravel-Lang packages reported by Socket"
malicious_versions:
  - "laravel-lang/lang all 502 tags reported by StepSecurity"
  - "laravel-lang/http-statuses tags through v3.4.5"
  - "laravel-lang/actions 46 tags from 1.0.0 through 1.12.2"
  - "laravel-lang/attributes all 86 tags reported by StepSecurity"
known_good_versions:
  - "pre-compromise commit SHAs independently verified outside mutable tags"
fixed_or_safe_versions:
  - "unknown; verify current maintainer cleanup before restoring trust"
execution_trigger: "Composer autoload.files loading src/helpers.php"
primary_impact: "remote code execution, CI/CD credential theft, developer and application secret theft"
campaign_context: "One of several May 2026 supply-chain incidents targeting mutable source-control trust anchors."
confidence: "high"
canonical_source: "https://www.stepsecurity.io/blog/laravel-lang-supply-chain-attack"
last_verified: "2026-05-24"

Source Confidence & Evidence Mapping

• confirmed: StepSecurity reports tag rewrites across four Laravel-Lang repositories, including laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/actions, and laravel-lang/attributes StepSecurity.
• confirmed: The malicious Composer path uses autoload.files to load src/helpers.php, which executes when vendor/autoload.php is required StepSecurity.
• confirmed: Socket reports a broader Laravel-Lang compromise affecting roughly 700+ historical versions and describes credential collection across cloud, CI/CD, Kubernetes, Vault, browser, SSH, and application configuration sources Socket.
• likely: Additional Laravel-Lang packages beyond StepSecurity’s four confirmed repositories were affected, based on Socket’s broader package set and version count Socket.
• unclear: Final cleanup status for every historical tag should be rechecked before any affected dependency is re-enabled.

Attack Execution Flow

sequenceDiagram
    autonumber
    actor Attacker
    participant Git as Laravel-Lang Git Repositories
    participant Packagist as Packagist / Composer
    participant App as Laravel App or CI Runner
    participant C2 as Attacker Infrastructure

    Attacker->>Git: Rewrite historical release tags to malicious commits
    Git->>Packagist: Packagist resolves tags from poisoned repository state
    Packagist->>App: Composer install/update pulls affected tag
    App->>App: vendor/autoload.php loads src/helpers.php
    App->>C2: Fetch payload and exfiltrate secrets

Timeline

• 2026-05-22T22:32:00Z StepSecurity reports the Laravel-Lang tag rewrite window beginning for laravel-lang/lang StepSecurity.
• 2026-05-22 to 2026-05-23 StepSecurity reports tag rewrites across the four confirmed repositories it analyzed StepSecurity.
• 2026-05-23 Socket publishes broader Laravel-Lang compromise research covering roughly 700+ historical versions Socket.
• 2026-05-24 This local feed split created a standalone Laravel-Lang article instead of including it only in a weekly roundup.

What Happened

Attackers gained the ability to rewrite release tags in Laravel-Lang repositories. That matters because Composer users often pin semver tags and assume historical tags are immutable. If a tag is moved, a fresh install can receive a malicious commit while still appearing to satisfy a legitimate version constraint.

The malicious commits added a helper file and autoload registration. StepSecurity’s isolated GitHub Actions detonation showed execution through Composer autoload, staging under /tmp, outbound traffic to flipboxstudio[.]info, and short-lived dropper artifacts StepSecurity. Socket’s broader analysis connects the Laravel-Lang package set to credential harvesting that targets developer and CI environments Socket.

Technical Analysis

Initial Access

The public reports do not prove the exact initial credential or account compromise path. The observed capability was source-control write access sufficient to rewrite historical tags. StepSecurity notes shared malicious commit characteristics and fake author metadata across the confirmed repositories StepSecurity.

Package or Artifact Tampering

The malicious artifact adds src/helpers.php and modifies Composer metadata so the file is loaded automatically. This is a high-leverage PHP package tampering method because many Laravel applications load Composer’s autoloader early in process startup.

Execution Trigger

Execution does not require direct use of a Laravel-Lang API. The trigger is vendor/autoload.php, which is routinely loaded by web applications, CLI commands, test runners, and CI jobs StepSecurity.

Payload Behavior

StepSecurity observed a PHP loader that fetched from flipboxstudio[.]info, wrote hidden temporary files, launched background execution, and then removed artifacts StepSecurity. Socket reports broader collection of cloud metadata, CI/CD tokens, Kubernetes tokens, Vault tokens, browser data, password-manager data, source-control credentials, VPN configs, SSH keys, .env files, and local application configs Socket.

Exfiltration / C2

Known infrastructure includes flipboxstudio[.]info, with /payload and /exfil paths reported in the technical writeups. Treat egress to this domain from PHP, Composer, CI runners, or Laravel application hosts as a high-priority incident.

Propagation

No autonomous worm behavior is confirmed. The propagation path is dependency resolution: any fresh Composer install or update that trusts a rewritten tag can receive the poisoned commit until tags are restored and caches are cleaned.

Obfuscation or Evasion

The attack hides in historical tag trust and normal Composer autoload behavior. Runtime evasion includes hidden /tmp paths, background execution, and rapid artifact deletion in the observed detonation StepSecurity.

MITRE ATT&CK Mapping

Tactic	Technique ID	Technique Name	Observed Behavior
Initial Access	T1195.002	Compromise Software Supply Chain	Rewritten package release tags delivered malicious Composer artifacts.
Execution	T1059.006	Command and Scripting Interpreter: Python/PHP/Shell	PHP helper and shell-launched temporary payloads executed on install/use.
Command and Control	T1105	Ingress Tool Transfer	Loader fetched second-stage payloads from attacker infrastructure.
Credential Access	T1552	Unsecured Credentials	Payload targeted environment variables, config files, cloud credentials, and CI secrets.
Exfiltration	T1041	Exfiltration Over C2 Channel	Secrets were staged for outbound transfer to attacker infrastructure.

Affected Assets and Blast Radius

affected_assets:
  ecosystems:
    - "Composer"
    - "Packagist"
  packages:
    - "laravel-lang/lang"
    - "laravel-lang/http-statuses"
    - "laravel-lang/actions"
    - "laravel-lang/attributes"
  versions:
    - "rewritten historical tags reported by StepSecurity"
    - "roughly 700+ affected historical versions reported by Socket"
  repositories:
    - "Laravel-Lang/lang"
    - "Laravel-Lang/http-statuses"
    - "Laravel-Lang/actions"
    - "Laravel-Lang/attributes"
  ci_cd_systems:
    - "GitHub Actions"
    - "Composer-based build pipelines"
  container_images: []
  developer_tools:
    - "Composer"
    - "Laravel applications"
credentials_at_risk:
  - "GitHub tokens"
  - "CI/CD secrets"
  - "cloud credentials"
  - "Kubernetes tokens"
  - "Vault tokens"
  - "SSH private keys"
  - ".env secrets"
not_currently_known_to_affect:
  - "Official Laravel framework packages, based on Socket's distinction between Laravel-Lang third-party packages and Laravel framework packages."

Indicators of Compromise

package_versions:
  - "laravel-lang/lang rewritten tags"
  - "laravel-lang/http-statuses rewritten tags through v3.4.5"
  - "laravel-lang/actions rewritten tags through 1.12.2"
  - "laravel-lang/attributes rewritten tags"
files:
  - "src/helpers.php"
  - "composer.json autoload.files"
  - "/tmp/.laravel_locale/<12 hex chars>.php"
  - "/tmp/.<8 hex chars>"
hashes:
  - "2f0ee073c6f29d66188a845592029c9b52528f04"
domains:
  - "flipboxstudio[.]info"
urls:
  - "hxxps://flipboxstudio[.]info/payload"
  - "hxxps://flipboxstudio[.]info/exfil"
ips: []
process_patterns:
  - "php -r require vendor/autoload.php followed by orphaned php"
  - "sh -c php /tmp/.laravel_locale/<id>.php > /dev/null 2>&1 &"
  - "nohup /tmp/.<8 hex chars>"
network_patterns:
  - "GET flipboxstudio[.]info/payload"
  - "POST flipboxstudio[.]info/exfil"
provenance_signals:
  - "Laravel-Lang tags recreated in a tight 2026-05-22 to 2026-05-23 window"
  - "unexpected tag author metadata such as Your Name <you@example.com>"

Detection and Hunting

lockfiles:
  - "Search composer.lock for Laravel-Lang packages resolved or updated after 2026-05-22T22:32:00Z."
  - "Compare locked dist/source commit SHAs against maintainer-confirmed clean commits."
filesystem:
  - "Search vendor/laravel-lang paths for src/helpers.php."
  - "Search composer.json and vendor composer metadata for autoload.files entries pointing to helpers.php."
process:
  - "Hunt for Composer or PHP processes spawning background /tmp payloads."
network:
  - "Search DNS and proxy logs for flipboxstudio[.]info."
github_audit:
  - "Review repository and dependency bot activity that updated Laravel-Lang packages during the rewrite window."
ci_cd:
  - "Review CI runs that executed composer install/update against Laravel-Lang packages after 2026-05-22T22:32:00Z."
registry:
  - "Temporarily block affected Laravel-Lang tags until pinned clean SHAs are verified."
sigma_candidates:
  - "PHP Composer Autoload Spawns Hidden Temp Payload"
yara_candidates:
  - "PHP helper loader containing flipboxstudio[.]info and temporary hidden path logic"

Remediation Workflow

• Immediate: Freeze Laravel-Lang updates, preserve composer.lock, isolate hosts and runners that installed affected tags, block flipboxstudio[.]info, and rotate secrets from a clean environment.
• Short-term: Rebuild dependencies from clean caches, pin verified clean commit SHAs, compare vendor trees against known-good source, and audit all CI runs that loaded Composer autoload during the exposure window.
• Long-term: Treat mutable tags as untrusted in high-risk builds, require dependency provenance review, mirror critical dependencies internally, and alert on Composer autoload entries that introduce new executable helper files.

Defensive Lessons

• prevent: Do not rely on tag names alone for high-risk dependencies. Pin and verify immutable source SHAs for production builds.
• detect: Monitor dependency resolution events and runtime behavior together; a lockfile hit matters most if the package actually executed.
• respond: Rotate secrets based on autoload execution exposure, not only on whether a package appears in source control.

Open Questions

• Which historical tags are now restored, and are they protected against future force updates?
• How many downstream installs resolved poisoned tags before cleanup?
• Are there additional Laravel-Lang packages beyond the four StepSecurity-confirmed repositories that still require tag verification?

Sources

1. StepSecurity: Laravel-Lang Supply Chain Attack - Role: PRIMARY_RESEARCH - Impact: Provides confirmed repositories, tag rewrite timing, detonation behavior, process tree, network activity, and IOCs.
2. Socket: Laravel Lang Compromised with RCE Backdoor Across 700+ Versions - Role: PRIMARY_RESEARCH - Impact: Documents broader package scope, Composer autoload execution, payload behavior, credential targets, and remediation guidance.

---

Machine-Readable Event Profile

{
  "schema_version": "2.0",
  "event_id": "laravel-lang-composer-tag-compromise-2026-05-22",
  "event_name": "Laravel-Lang Composer Tag Rewrite RCE Compromise",
  "publication_state": "publish_ready",
  "confidence": "high",
  "attack_types": ["git tag hijacking", "composer package compromise", "remote code execution", "credential theft"],
  "sources": {
    "direct": [],
    "primary_research": [
      "https://www.stepsecurity.io/blog/laravel-lang-supply-chain-attack",
      "https://socket.dev/blog/laravel-lang-compromise"
    ],
    "correlated": []
  },
  "affected_assets": {
    "ecosystems": ["Composer", "Packagist"],
    "packages": ["laravel-lang/lang", "laravel-lang/http-statuses", "laravel-lang/actions", "laravel-lang/attributes"],
    "versions": ["rewritten historical tags", "roughly 700+ versions reported by Socket"],
    "repositories": ["Laravel-Lang/lang", "Laravel-Lang/http-statuses", "Laravel-Lang/actions", "Laravel-Lang/attributes"],
    "ci_cd_systems": ["GitHub Actions", "Composer build pipelines"],
    "container_images": [],
    "developer_tools": ["Composer", "Laravel"],
    "credentials_at_risk": ["GitHub tokens", "CI/CD secrets", "cloud credentials", "Kubernetes tokens", "Vault tokens", "SSH private keys", ".env secrets"]
  },
  "timeline": {
    "first_seen": "2026-05-22T22:32:00Z",
    "malicious_publish_time": "2026-05-22T22:32:00Z/2026-05-23T00:00:00Z",
    "discovery_time": "2026-05-22/2026-05-23",
    "removal_time": "unknown",
    "disclosure_time": "2026-05-23",
    "patch_or_fix_time": "unknown"
  },
  "artifact_analysis": {
    "malicious_artifacts": ["src/helpers.php", "composer.json autoload.files", "/tmp/.laravel_locale/<id>.php"],
    "execution_trigger": "Composer autoload",
    "payload_behavior": ["remote payload fetch", "background execution", "credential harvesting", "artifact cleanup"]
  },
  "iocs": {
    "package_versions": ["laravel-lang rewritten tags"],
    "files": ["src/helpers.php", "/tmp/.laravel_locale/<id>.php"],
    "hashes": ["2f0ee073c6f29d66188a845592029c9b52528f04"],
    "domains": ["flipboxstudio.info"],
    "urls": ["https://flipboxstudio.info/payload", "https://flipboxstudio.info/exfil"],
    "ips": [],
    "process_patterns": ["php Composer autoload spawns hidden temp payload"],
    "network_patterns": ["GET flipboxstudio.info/payload", "POST flipboxstudio.info/exfil"]
  },
  "detection": {
    "lockfile_hunts": ["composer.lock Laravel-Lang packages after 2026-05-22T22:32:00Z"],
    "filesystem_hunts": ["src/helpers.php under Laravel-Lang vendor trees"],
    "process_hunts": ["orphaned PHP or hidden temp payloads after Composer autoload"],
    "network_hunts": ["flipboxstudio.info"],
    "ci_cd_hunts": ["Composer install/update during tag rewrite window"],
    "registry_hunts": ["block rewritten tags until clean SHAs verified"]
  },
  "open_questions": ["Final cleanup status for every historical tag", "downstream victim count", "complete affected package list"],
  "defender_takeaways": {
    "detection": "Start with composer.lock and CI run history, then pivot to PHP process and egress telemetry.",
    "hunting": "Verify tag-to-commit SHAs rather than trusting version strings.",
    "remediation": "Rebuild from clean caches and rotate secrets for any host that loaded the poisoned autoload path.",
    "prevention": "Pin immutable SHAs for high-risk dependencies and monitor tag rewrites."
  }
}