Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer

Key Points:

• Cybersecurity researchers have uncovered a large-scale software supply chain attack targeting multiple Laravel-Lang PHP packages, embedding a credential-stealing framework in over 700 compromised versions released rapidly in May 2026.
• The malicious code resides in a file named "src/helpers.php," which is automatically executed on every PHP request due to its inclusion in the autoload.files configuration, enabling the payload to run without any user interaction.
• The attacker's payload fingerprints infected hosts and retrieves a cross-platform PHP stealer that collects extensive sensitive data, including cloud credentials, cryptocurrency wallet seed phrases, browser data, VPN configurations, and session tokens from numerous applications and services.
• After harvesting data, the stealer encrypts the information using AES-256 and exfiltrates it to a command-and-control server before deleting itself to avoid detection and forensic analysis.
• The scale and timing of the compromised package versions suggest the attacker gained access to organization-level credentials or release infrastructure, enabling automated mass tagging and republishing of malicious packages.