Four widely-used Laravel localization packages were compromised in a supply chain attack starting May 22. Hackers rewrote Git tags across over 700 historical versions of laravel-lang/lang, http-statuses, attributes, and actions — without ever touching the official repos. Instead, they pointed tags to commits in a malicious fork they controlled.
The malware connected to a C&C server to deploy a PHP credential stealer targeting AWS, GCP, Azure keys, SSH private keys, Kubernetes tokens, browser passwords, crypto wallets, and more — across Windows, Linux, and macOS.
Any system that installed or updated these packages should be treated as compromised, and all secrets rotated immediately.
Source: SecurityWeek