Laravel Lang packages have been hijacked to release identity theft malware

A supply chain attack targeting Laravel Lang localization packages exposed developers to a sophisticated malware campaign to steal information after attackers misused GitHub version tags to distribute malicious code through compiler packages.

Security companies StepSecurity, Aikido Security, and Socket warned about the backlash on Friday, warning that the attackers rewrote the GitHub tags in all four repositories maintained by the Laravel Lang organization instead of publishing entirely new malicious versions.

Affected packages include laravel-lang/lang, laravel-lang/http-status, laravel-lang/attributes, and possibly laravel-lang/actions. The Laravel Lang packages are third-party localization packages and are not part of the official Laravel project.

According to Aikido, the attackers compromised 233 versions across the last three locations, while Socket said that around 700 historical versions may have been affected.

What made the attack stand out is that the original source code of the project was not modified to include malicious code, but instead the attackers abused a GitHub feature that allows tags to reference commits of the same repository.

“Instead of publishing a new malicious version, the attacker rewrote every existing git tag on each repository to point to the new malicious action,” StepSecurity explained.

“The rewrite started at 22:32 UTC against laravel-lang/lang (a prominent Laravel translation package, with 502 tags) and finished at 00:00 UTC against laravel-lang/actions. All four cores have the same fake writer identity, the same modified files, and the same payload behavior, which makes them push a job by confusing one job. access.”

This allowed attackers to publish what appeared to be official project release tags, which actually led to malicious code stored in the attacker-controlled repository.

When developers install a package through Composer, it will download malicious code while appearing to install the official release of Laravel Lang.

It uses identity theft

The researchers discovered that the malicious release introduced a malicious file called ‘src/helpers.php’, which was automatically loaded by Composer.

The injected code acted as a dropper that downloaded a secondary payload to the attacker’s command and control server on flipboxstudio.[.]information.

PHP loading downloaded [VirusTotal] was a major cross-platform hacker for Linux, macOS, and Windows that preyed on cloud credentials, Kubernetes secrets, Vault tokens, Git credentials, CI/CD secrets, SSH keys, browser data, cryptocurrency wallets, password managers, VPN configurations, and local `.env` configuration files.

The malware also contains common expression patterns used to extract AWS keys, GitHub tokens, Slack tokens, Stripe secrets, database credentials, JWTs, SSH private keys, and cryptocurrency recovery phrases from files and environment variables.

On Windows systems, loading PHP also outputs a base64-encoded executable [VirusTotal] embedded inside a file, written in the %TEMP% folder as a random filename .exe, and launched.

BleepingComputer’s analysis of the Windows infostealer shows that it is called ‘DebugElevator’ and is designed to target Chrome, Brave, and Edge, and extract the App-Bound Encryption keys needed to monitor stored browser information.

The embedded PDB path also refers to the Windows account name ‘Mero’ and contains ‘cloud,’ which may indicate that AI was used to help develop the Windows malware.

C:UsersMeroOneDriveDesktopstuffclaudeChromium-DebugElevatorx64ReleaseDebugChromium.pdb

The researchers say that once the sensitive data is extracted, the malware encrypts it and sends it back to the C2 server.

Aikido says they reported the incident to Packagist, which quickly responded by removing the malicious versions and temporarily uninstalling the affected packages to prevent further installations.

Developers using Laravel Lang packages are advised to review the versions of the installed packages, rotate the exposed information, check the systems for indications of compromise, and, if possible, check the historical communication output from flipboxstudio.[.]information.