Laravel Packages Compromised for Malware Distribution
Third-Party Risk Management Fails Again
The Laravel-Lang organization recently experienced a security breach where hackers compromised their release process, publishing malicious version tags across four packages.
A Series of Malicious Version Tags Published
On May 22, a series of malicious version tags were published across four packages maintained by the Laravel-Lang organization.
- laravel-lang/lang
- laravel-lang/http-statuses
- laravel-lang/attributes
- laravel-lang/actions
These packages are third-party localization libraries used by Laravel applications.
According to the attackers’ modus operandi, the malicious tags were published across over 700 historical versions of the four packages, potentially impacting all applications that fetched updates for them or installed them fresh.
The Attackers Exploited GitHub’s Feature
The malicious code was not committed to the official repositories but instead exploited GitHub’s feature allowing version tags to point to commits from a fork of the same repository.
The malicious version tags contained a file named src/helpers.php, posing as a Laravel localization helper. This code fingerprinted the machine, connected to the command-and-control (C&C) domain flipboxstudio[.]info, and fetched a PHP credential stealer to execute in the background.
Malware Targeted Various High-Value Configuration and Credential Files
The malware targeted:
- Credentials stored in browsers and password managers
- Cryptocurrency wallets and extensions
- Various communication platforms
- VPN configuration files
- Various high-value configuration and credential files across Windows, Linux, and macOS systems
Organizations and users are advised to:block the affected packagestreat any systems that installed them as potentially compromisedconfirm the availability of clean versions and install themrotate any secrets available to hosts, containers, CI runners, or developer machines that installed or ran the compromised packages
About Author
English