Laravel Lang Compromised with RCE Backdoor Across 700+ Versions

What Happened

A popular set of third-party translation packages for the Laravel web framework was hacked, affecting over 700 versions. When developers install these compromised packages, a hidden backdoor automatically runs and downloads a powerful information-stealing program. This malware searches the server or developer's computer for sensitive passwords, cloud access keys, and browser data, sending it all back to the attackers. Any organization using these packages should assume their passwords and access keys have been stolen and must change them immediately. Developers should also rebuild affected systems and block the compromised packages until they are fixed.

Key Takeaways

• Over 700 historical versions of Laravel Lang packages were compromised with an RCE backdoor.
• The malicious code executes automatically via Composer's autoloader on every PHP request.
• The second-stage payload is a highly sophisticated, cross-platform information stealer targeting cloud, CI/CD, and local secrets.
• The malware drops a Windows executable (DebugChromium.exe) to bypass Chrome v127+ App-Bound Encryption.
• Organizations using affected packages must assume full compromise and initiate comprehensive secret rotation.

Affected Systems

• PHP applications using compromised versions of laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, or laravel-lang/actions
• Linux, macOS, and Windows environments running the compromised code

Attack Chain

The attack begins when a developer installs a compromised Laravel Lang package via Composer. The malicious src/helpers.php file is loaded automatically by Composer's autoloader, executing on every PHP request. It dynamically resolves the C2 domain and downloads a second-stage PHP payload to a hidden temporary directory. This payload, a comprehensive information stealer, is executed in the background to harvest cloud credentials, CI/CD secrets, browser data, and local files, which are then XOR-encrypted and exfiltrated to the C2 server.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules but lists behavioral indicators and IOCs for hunting.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions should easily detect the execution of DebugChromium.exe, suspicious child processes spawned by PHP (e.g., cscript or background php), and unusual file reads across sensitive directories. Network Visibility: Medium — Network monitoring can detect outbound connections to the C2 domain (flipboxstudio.info), though the traffic is HTTPS and XOR-encrypted. Detection Difficulty: Moderate — While the initial execution blends in with normal PHP application behavior, the subsequent aggressive credential harvesting, dropping of executables, and C2 communication provide strong behavioral signals.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• File Creation (Sysmon 11)
• DNS Query (Sysmon 22)
• Network Connection (Sysmon 3)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Hunt for PHP processes spawning cscript.exe or background php processes, which may indicate the execution of the staged payload.	Process Creation	Execution	Low
Look for the creation of hidden directories or files matching .laravel_locale in system temporary directories.	File Creation	Defense Evasion	Low
Monitor for unexpected outbound network connections from web server processes to unknown domains, particularly flipboxstudio.info.	Network Connection	Command and Control	Low
Search for the presence or execution of a file named DebugChromium.exe on Windows systems, especially if dropped by a web server process.	File Creation, Process Creation	Credential Access	Low
Hunt for web server processes making HTTP requests to the cloud instance metadata IP (169.254.169.254) if the application does not legitimately require it.	Network Connection	Credential Access	Medium

Control Gaps

• Lack of egress filtering for web servers
• Insufficient monitoring of PHP child processes
• Unrestricted access to cloud metadata endpoints from application containers

Key Behavioral Indicators

• PHP process spawning cscript.exe
• Creation of DebugChromium.exe
• Web server process reading /proc/[pid]/environ or /var/run/secrets/

False Positive Assessment

• Low. The presence of the specific C2 domain (flipboxstudio.info), the .laravel_locale staging directory, or the DebugChromium.exe file are highly indicative of this specific compromise.

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Check composer.lock for compromised packages (laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, laravel-lang/actions) and block them.
• Assume full compromise of any host or container that ran the affected packages and initiate comprehensive secret rotation (cloud, K8s, Vault, CI/CD, DB, etc.).
• Preserve logs, composer.lock, cache contents, and temporary directories for forensic analysis before rebuilding systems.

Infrastructure Hardening

• Consider implementing strict egress filtering on web servers and CI/CD runners to block outbound connections to unknown domains.
• Evaluate restricting access to cloud instance metadata endpoints (IMDSv2) to only authorized processes or containers.
• Rebuild affected hosts, containers, and CI runners from known-good images where possible.

User Protection

• Consider rotating all developer credentials, SSH keys, and VPN configurations if the compromised packages were run on local developer machines.
• Ensure endpoint detection and response (EDR) tools are deployed and actively monitoring developer workstations.

Security Awareness

• Consider educating development teams on the risks of supply chain attacks and the importance of pinning dependencies to known-good versions.
• Evaluate incorporating dependency auditing and software composition analysis (SCA) into the CI/CD pipeline.

MITRE ATT&CK Mapping

• T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
• T1059.004 - Command and Scripting Interpreter: Unix Shell
• T1059.005 - Command and Scripting Interpreter: Visual Basic
• T1552.001 - Unsecured Credentials: Credentials In Files
• T1552.007 - Unsecured Credentials: Credentials in Cloud Instance Metadata API
• T1555.003 - Credentials from Password Stores: Credentials from Web Browsers
• T1048 - Exfiltration Over Alternative Protocol

Additional IOCs

• Domains:
  • flipboxstudio[.]info - C2 and exfiltration domain
• Urls:
  • hxxps://flipboxstudio[.]info/payload - Payload download URL
  • hxxps://flipboxstudio[.]info/exfil - Data exfiltration endpoint
• File Paths:
  • sys_get_temp_dir()/.laravel_locale/ - Hidden temporary directory used for staging the downloaded payload
• Command Lines:
  • Purpose: Background execution of the PHP payload on Unix environments | Tools: php, exec | Stage: Execution | exec("php
  • Purpose: Execution of the generated VBS payload on Windows systems | Tools: cscript | Stage: Execution | cscript
• Other:
  • laravel-lang/lang - Compromised Composer package
  • laravel-lang/http-statuses - Compromised Composer package
  • laravel-lang/attributes - Compromised Composer package
  • laravel-lang/actions - Compromised Composer package