{
  "name": "Laravel Lang Compromised with RCE Backdoor Across 700+ Versions",
  "slug": "laravel-lang-compromised-with-rce-backdoor-across-700-versions",
  "description": "Community-maintained Laravel Lang packages were compromised with remote code execution backdoors affecting over 700 versions across multiple repositories including laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. The attack involved coordinated rapid tag publishing on May 22-23, 2026, suggesting organization-level credential compromise. A malicious helpers.php file was automatically executed via Composer's autoloader, deploying a sophisticated cross-platform information stealer. The second-stage payload systematically harvested credentials from cloud infrastructure, Kubernetes, CI/CD systems, browsers, password managers, cryptocurrency wallets, VPN clients, and local configurations. Stolen data was encrypted and exfiltrated to a command-and-control server. The backdoor employed advanced evasion techniques including TLS verification bypass, per-host execution markers, and embedded Windows executables to bypass Chrome encryption protections.",
  "published": "2026-05-23T08:56:25+00:00",
  "created_at": "2026-05-23T08:56:25+00:00",
  "modified_at": "2026-05-25T08:51:12+00:00",
  "created_at_opencti": "2026-05-23T08:56:25+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-05-23",
    "developer compromise",
    "information stealer",
    "laravel",
    "rce backdoor",
    "supply chain attack"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "https://flipboxstudio.info/exfil"
      },
      {
        "id": "",
        "name": "https://flipboxstudio.info/payload"
      }
    ],
    "malware": [
      {
        "id": "01905724-de00-4a98-a7cb-9e8ebfbaea5b",
        "name": "DebugChromium.exe",
        "slug": "debugchromiumexe"
      },
      {
        "id": "cc576798-5801-4a30-8c6b-c9b6e47caa1e",
        "name": "helpers.php stealer",
        "slug": "helpersphp-stealer"
      }
    ],
    "attack_patterns": [
      {
        "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048",
        "name": "T1555.003"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "e615d5ec-8d67-4048-b21d-a5fb09925bb9",
        "name": "T1552.001"
      },
      {
        "id": "8142c537-ccb7-486e-a320-a51d2eac58db",
        "name": "T1552.002"
      },
      {
        "id": "894026fa-e537-4b95-b612-7dd8bc367a0d",
        "name": "T1078.001"
      },
      {
        "id": "97cda0df-73f8-46ac-9b12-ba9b7f4032ab",
        "name": "T1552.007"
      },
      {
        "id": "9f21708c-24b6-46b5-bf7e-522256e8470c",
        "name": "T1552.004"
      },
      {
        "id": "99571c5a-1615-4466-ab0e-f4d9e9219640",
        "name": "T1552.006"
      },
      {
        "id": "29397576-b3af-4bac-8cab-de3c2ba4b9a0",
        "name": "T1552.005"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "1d0d9e67-eb8a-439c-a2c7-cab311bb25c4",
        "name": "T1195.002"
      },
      {
        "id": "535a45a7-819f-46fa-947a-c9eabd27c419",
        "name": "T1555.005"
      },
      {
        "id": "2e0c6db7-16a7-4bf6-992e-263474014fce",
        "name": "T1059.004"
      },
      {
        "id": "759720f6-8f0f-4017-ab21-7ac30d0bf46f",
        "name": "T1555.001"
      },
      {
        "id": "ee82762a-2958-4901-aade-341277d9b410",
        "name": "T1078.004"
      },
      {
        "id": "14660ccf-ca6b-42f6-8bca-e1b7a04650b3",
        "name": "T1573.001"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "flipboxstudio.info"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/6a1187d92cdbfd79095008cd",
    "https://socket.dev/blog/laravel-lang-compromise"
  ]
}