A supply chain attack against Laravel Lang localization packages abused GitHub tags and Composer distribution to deliver malicious releases that installed a credential-stealing payload. The campaign used a dropper from flipboxstudio[.]info to deploy the DebugElevator infostealer, targeting browser data, cloud secrets, Git credentials, and other sensitive credentials. #LaravelLang #DebugElevator #flipboxstudio
Keypoints
- Attackers rewrote GitHub tags in Laravel Lang repositories to point to malicious commits.
- The affected packages included laravel-lang/lang, http-statuses, attributes, and possibly actions.
- Composer loaded a malicious src/helpers.php file that acted as a dropper.
- The second-stage payload stole cloud credentials, SSH keys, browser data, and other secrets.
- Packagist removed the malicious versions and developers were urged to rotate exposed credentials.