Threat Research

Laravel Lang Compromised with RCE Backdoor Across 700+ Versions

SocketDev
Laravel Lang Compromised with RCE Backdoor Across 700+ Versions

A compromise of the community-maintained Laravel Lang project injected remote code execution backdoors into multiple packages, including laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions, across 700+ historical versions. The payload uses Composer autoload execution to steal secrets and exfiltrate data via flipboxstudio[.]info, affecting Laravel applications that installed the poisoned packages. #LaravelLang #flipboxstudio.info #DebugChromium.exe

Keypoints

  • Multiple Laravel Lang packages were compromised, not just a single version or repository.
  • Affected packages include laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions.
  • The malicious code was placed in src/helpers.php and registered through composer.json autoload.files, enabling automatic execution.
  • Rapid tag publication across several repositories suggests a broader release-process compromise or attacker access to organization-level infrastructure.
  • The backdoor retrieves and runs a second-stage payload that performs cross-platform credential theft and data exfiltration.
  • The stealer targets cloud, Kubernetes, CI/CD, browser, password manager, source control, VPN, and local configuration secrets.
  • Defenders are advised to treat systems as compromised, rotate exposed secrets, and rebuild affected hosts or runners from known-good images.

MITRE Techniques

  • [T1059.006] Command and Scripting Interpreter: Python – The malicious PHP loader executes downloaded payloads in the background and uses scripting on Windows via cscript. (‘exec(“php …”)’ and ‘generating and running a .vbs script via cscript on Windows systems’)
  • [T1105] Ingress Tool Transfer – The malware downloads a second-stage payload from a remote server for later execution. (‘The script reaches out to https://flipboxstudio[.]info/payload’)
  • [T1027] Obfuscated Files or Information – The C2 hostname is built dynamically from character codes to evade static analysis. (‘It dynamically builds its Command and Control (C2) hostname … using character codes’)
  • [T1573] Encrypted Channel – The stolen data is XOR-encrypted before exfiltration using a hardcoded key. (‘Uses a hardcoded key … to XOR-encrypt the stolen data before exfiltration’)
  • [T1119] Automated Collection – The stealer uses many collectors to systematically harvest secrets from files, variables, cloud metadata, browsers, and more. (‘Orchestration: The Stealer class initializes 17 distinct “Collectors”‘)
  • [T1552.001] Unsecured Credentials: Credentials In Files – The malware searches configuration files, history files, SSH keys, .env files, and other local files for secrets. (‘Scours Windows, macOS, and Linux paths for high-value configuration and credential files’)
  • [T1552.004] Unsecured Credentials: Private Keys – It specifically targets SSH private keys and other private key material. (‘SSH private keys … private keys’)
  • [T1528] Steal Application Access Token – The collectors extract tokens from services like Discord, Slack, GitHub, GitLab, and CI/CD systems. (‘extracting tokens and configurations from Jenkins … GitHub Actions … Discord and Slack’)
  • [T1539] Steal Web Session Cookie – The browser collector targets cookies and login data from major browsers. (‘Extracts history, cookies, and login data from Chrome, Edge, Firefox, Brave, and Opera’)
  • [T1057] Process Discovery – The malware reads process environment and command-line data from /proc to capture secrets from running processes. (‘Reads /proc/[pid]/environ and /proc/[pid]/cmdline’)
  • [T1021.004] Remote Services: SSH – The payload searches for SSH-related credentials and configurations across systems. (‘SSH private keys … PuTTY/WinSCP saved sessions’)
  • [T1611] Escape to Host – The malware targets container and host-adjacent secrets such as Kubernetes service account tokens and host configuration paths. (‘Steals Kubernetes Service Account tokens from /var/run/secrets/…’)
  • [T1018] Remote System Discovery – It queries cloud metadata endpoints like EC2 IMDS to identify roles and instance details. (‘Queries cloud metadata endpoints (e.g., EC2 IMDS at 169.254.169.254)’)

Indicators of Compromise

  • [Domains] C2 and exfiltration infrastructure – flipboxstudio[.]info, and other related requests
  • [URLs] Payload retrieval and data exfiltration endpoints – https://flipboxstudio[.]info/payload, https://flipboxstudio[.]info/exfil
  • [File names] Malicious and dropped files – src/helpers.php, DebugChromium.exe, and a dropped .vbs script
  • [Paths] Temporary staging locations – sys_get_temp_dir()/.laravel_locale/, /var/run/secrets/, and /proc/[pid]/environ
  • [IP addresses] Cloud metadata access target – 169.254.169.254
  • [Package names] Affected compromised packages – laravel-lang/lang, laravel-lang/http-statuses, and laravel-lang/attributes
  • [Composer autoload entry] Automatic execution vector – autoload.files → src/helpers.php

Read more: https://socket.dev/blog/laravel-lang-compromise

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint