Most developers treat a Git tag like a signed receipt — proof that a specific commit was reviewed, approved, and shipped. Last Friday, attackers turned that assumption into a credential-harvesting machine by rewriting tags across the Laravel Lang ecosystem to silently point at malicious forks. No new versions. No suspicious release notes. Just every historical tag, quietly repointed to a payload that hoovers up AWS keys, GitHub tokens, SSH keys, and crypto wallet seeds.
This isn’t another typosquatting story — it’s a structural failure in how the PHP ecosystem — and arguably every package manager that resolves by tag — verifies what “version 15.29.4” actually means.
The Attack Rewrote History Instead of Adding to It
According to coordinated reports from StepSecurity, Aikido Security, and Socket, attackers compromised the Laravel Lang organization on GitHub and rewrote existing version tags across four repositories: laravel-lang/lang, laravel-lang/HTTP-statuses, laravel-lang/attributes, and likely laravel-lang/actions. Aikido counted 233 affected versions across three repositories. Socket put the historical exposure closer to 700 versions. StepSecurity logged the rewrites starting at 22:32 UTC against the flagship laravel-lang/lang repository (502 tags) and finishing by 00:00 UTC against laravel-lang/actions.
The twist: the source code on the original repositories was never modified. The attacker abused a GitHub behavior that allows a tag in one repository to resolve to a commit living in a fork of that repository. So git tag v1.2.3 could be quietly pointed at a malicious commit in attacker/laravel-lang-fork while the upstream repo looked untouched at a glance.
If you run composer update on a project that pulls laravel-lang/lang, Composer resolves the tag, fetches the tree, and dutifully installs whatever the tag points to. That is the contract. The contract just got broken.
Why it matters: Most supply chain detection tools watch for new versions, suspicious maintainers, or obvious diff anomalies. Tag rewriting bypasses all of that, because the version number you locked in your composer.lock from six months ago can now resolve to entirely different code. Take: Expect every serious package manager to start treating tag immutability as a first-class security property within the next twelve months — and expect lockfile hash pinning, not version pinning, to become the new minimum bar.
A Credential Stealer Built for Modern Developer Stacks
The injected src/helpers.php was auto-loaded by Composer and acted as a dropper, calling out to a C2 at flipboxstudio[.]info to fetch a second PHP payload. That payload runs cross-platform on Linux, macOS, and Windows, and the target list reads like an inventory of a working developer’s laptop.
It scrapes cloud credentials, Kubernetes secrets, HashiCorp Vault tokens, Git credentials, CI/CD secrets, SSH keys, browser data, cryptocurrency wallets, password manager files, VPN configurations, and local .env files. It carries regular expressions tuned to extract AWS keys, GitHub tokens, Slack tokens, Stripe secrets, database credentials, JWTs, SSH private keys, and crypto recovery phrases — the exact secret shapes that show up in a half-finished feature branch at 11pm.
If you are a Laravel shop running CI in GitHub Actions with the usual cocktail of Stripe, AWS, and a Postgres instance behind Vault, one tainted composer install on a developer laptop or build runner is enough to leak the entire blast radius. The same is true for any agency that ships Laravel work across client projects — your ~/.aws/credentials and ~/.ssh/id_ed25519 are the prize, not the localization strings. Teams shipping regulated workloads such as healthcare or pharma software should treat any developer machine that touched a compromised tag as fully untrusted until rotated.
Take: The era of casually committing PHP dependencies and assuming “it’s just translation strings” is over. Localization packages, status code helpers, and other unsexy utilities are now prime targets precisely because nobody audits them.
A Windows Payload With Claude in the Path
On Windows, the PHP stage drops a base64-encoded executable into %TEMP% under a random name and launches it. BleepingComputer identified the binary as DebugElevator, designed to attack Chrome, Brave, and Edge by extracting App-Bound Encryption keys so it can decrypt stored browser credentials. That capability matters: App-Bound Encryption was Google’s answer to commodity infostealers, and any malware that handles it is operating at a higher tier than your average PHP dropper.
The embedded PDB path is the detail every developer should sit with:
C:\Users\Mero\OneDrive\Desktop\stuff\claude\Chromium-DebugElevator\x64\Release\DebugChromium.pdbThe folder name claude strongly suggests AI tooling was used somewhere in the development of the Windows component. Whether that is Claude Code, the Claude desktop app, or a folder of pasted snippets is unknowable from a path string alone — but the signal is there, and it’s among the cleaner public artifacts of AI-assisted offensive tooling seen in a real campaign.
Take: Within a year, IOC writeups will routinely include “AI tooling references in build artifacts” as a standard field, the same way they list compiler versions and PDB paths today. Defenders should start treating those breadcrumbs as first-class telemetry.
What to Do Before Monday
Packagist responded by removing the malicious versions and temporarily unlisting the affected packages, per Aikido’s report. That stops the bleeding for new installs, but it does not help any environment that already pulled a tainted release.
If you run any Laravel project — even one you inherited and never touched — pull a list of every machine and CI runner that has executed composer install in the past few weeks. Diff your composer.lock against known-good Laravel Lang commit hashes. Rotate anything the stealer would have grabbed: AWS access keys, GitHub PATs, Slack tokens, Stripe keys, SSH keys, VPN configs, and any .env value that was loaded into memory during a build. Search outbound network logs for connections to flipboxstudio[.]info. Assume any browser session on an affected Windows machine is compromised and force re-authentication on the SSO that gates everything else.
Now ask whether your build pipeline pins by commit SHA or by tag. If it is the latter, you are one rewritten tag away from the next version of this story. For teams running auditable supply chain workflows, the same hash-pinning discipline applies to your software bill of materials — and the tradeoffs between tamper-evident ledgers and traditional databases are worth a second look when your release metadata itself becomes the attack surface.
FAQ
Q: Were the official Laravel framework packages affected?
A: No. The compromised repositories belong to the Laravel Lang organization, which maintains third-party localization packages and is not part of the official Laravel project. If your application only depends on laravel/framework and its first-party components, this specific incident does not touch you directly — but you should still audit transitive dependencies.
Q: How can a Git tag silently point to malicious code in a fork? A: GitHub allows tags in a repository to resolve to commits that exist anywhere in the repository network, including forks. An attacker with org-wide push access can rewrite a tag to point at a commit in a fork they control. Tools that resolve by tag — including Composer in many configurations — will fetch and install whatever that tag now points to, even though the upstream source tree looks unchanged.
Q: Does pinning a version in composer.lock protect me?
A: Partially. composer.lock records commit hashes, so a previously locked install should be reproducible. But any fresh composer install that re-resolves, any composer update, or any CI runner that does not strictly enforce the lockfile will pick up the rewritten tag. Hash-pinning, not version-pinning, is the durable mitigation.
Key Takeaways
- Treat any developer machine or CI runner that installed Laravel Lang packages during the incident window as compromised until credentials are rotated and outbound traffic to
flipboxstudio[.]infois ruled out. - Move build pipelines from tag-based resolution to commit-SHA pinning; tag immutability is not a guarantee any package manager can currently enforce.
- Add unsexy utility libraries — localization, status codes, helpers — to your highest-scrutiny audit tier, because attackers have figured out that nobody reviews them.
- Start logging and alerting on AI-tooling artifacts in malware samples; the
claudefolder reference in DebugElevator’s PDB will not be the last of its kind. - If your CI secrets, browser sessions, and SSH keys all live on the same laptop with no isolation, this incident is a preview of how cheaply that posture fails.