Laravel Lang packages hijacked to deploy credential-stealing malware
A supply chain attack on Laravel Lang localization packages has been uncovered, where attackers hijacked GitHub repositories and abused version tags to inject malicious code into Composer packages. The compromised packages, used for translating Laravel applications, were distributed through Packagist, exposing developers to credential-stealing malware. The malware targets environment variables, SSH keys, and database credentials, exfiltrating them to attacker-controlled servers. The attack was first reported on May 23, 2026, by BleepingComputer. Developers who installed the affected packages between specific dates are at risk. The incident highlights the vulnerability of open-source ecosystems to tag-based attacks, where seemingly legitimate version updates can hide malicious payloads. Users are advised to audit their Composer dependencies and rotate any exposed credentials.
Compromised Laravel packages can lead to widespread credential theft in developer environments.