Attackers have pulled off a sophisticated supply chain attack against a widely used set of open-source packages called Laravel Lang — tools that help developers build multilingual websites and apps. Instead of publishing an obviously new malicious version, the attackers quietly rewrote 233 to 700 historical release tags in the packages’ GitHub repositories so they pointed to code that contained a hidden credential stealer.
When developers installed or reinstalled any of those older versions through the standard Composer package manager, the malware would silently collect API keys, cloud credentials, SSH private keys, browser-saved passwords, cryptocurrency wallet phrases, and dozens of other secrets — then send everything to an attacker-controlled server. The affected packages have been removed from Packagist (the main PHP package registry), but any developer who installed them during the attack window should assume their credentials were stolen.
How to check if you’re affected
Affected products include the laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions packages. If you are a developer who installed or updated any of these packages between May 22 and May 24, 2026, rotate all credentials stored on or accessible from that machine — including cloud access keys (AWS, GCP, Azure), GitHub tokens, database passwords, and anything stored in your browser. Check outbound network logs for connections to flipboxstudio[.]info. If you are an end user of a product built by developers who may have been affected, watch for unusual account activity and consider changing passwords for any services you use.