Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer

Cybersecurity researchers have flagged a fresh software supply chain attack campaign that has targeted multiple PHP packages belonging to Laravel-Lang to deliver a comprehensive credential-stealing framework. The affected packages include - laravel-lang/lang laravel-lang/http-statuses laravel-lang/attributes laravel-lang/actions "The timing and pattern of the newly published tags

The article describes a software supply chain attack in which an attacker with push access to the Laravel-Lang GitHub organization rewrote hundreds of git tags across multiple PHP Composer packages (including laravel-lang/lang, http-statuses, attributes, and actions) to insert a PHP-based, cross-platform credential stealer that auto-loads via Composer.[1][4] Reports from StepSecurity, Aikido Security, and others state that the payload contacts flipboxstudio[.]info, downloads a ~5,900 line stealer, and exfiltrates cloud, CI/CD, browser, password manager, VPN, SSH, and other sensitive secrets from Windows, Linux, and macOS, then deletes itself to hinder forensics.[1][2][3][4] From a CyberSE.AI perspective, this illustrates critical AI supply chain risk: any AI agents, pipelines, or model-training jobs that rely on PHP-based services or CI runners using these packages could have had environment variables, API keys, model access tokens, data connectors, or deployment credentials stolen. Organizations should perform SBOM-driven dependency audits, lock to verified commits, implement strict CI integrity controls (including code signing and tag protection), and run continuous red teaming s