Attackers compromised the Laravel Lang organization’s release infrastructure on May 22–23, 2026, rewriting every existing git tag across four widely used PHP localization packages to point to malicious commits — meaning all historical versions of those packages now install credential-stealing malware instead of the legitimate code developers expect.
Rewriting Git Tags Across laravel-lang/lang, http-statuses, attributes, and actions
The attack targeted four repositories under the Laravel Lang organization: laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. Aikido Security identified 233 malicious versions across three of the repositories; Socket estimated approximately 700 total affected versions across all four.
The mass re-tagging operation completed in a 90-minute window between 22:32 UTC on May 22 and 00:00 UTC on May 23, 2026 — a pace that indicates the attacker held organization-level credentials or had compromised the release automation pipeline rather than gaining access to a single maintainer account.
Why Git Tag Rewriting Is Particularly Dangerous for Developer Pipelines
Unlike publishing a new malicious release, rewriting existing git tags silently backdoors historical versions that developers and automated CI/CD systems treat as verified, known-good code. Organizations that cached package versions in internal mirrors or artifact repositories may have stored the malicious commits without realizing the underlying content changed. A developer who ran composer install or composer update against any of the four affected packages during the 90-minute attack window — or who pulled from a cached mirror that fetched during that window — may have installed the malicious payload.
Laravel Lang packages are among the most widely used localization libraries in the PHP and Laravel ecosystem. The scope of developer machine and server exposure is broad.
The DebugElevator Windows Executable and the PHP Server-Side Dropper
The malicious file injected into the packages is src/helpers.php, which acts as a dropper. It downloads a PHP credential stealer from the domain flipboxstudio[.]info. The payload targets a broad range of high-value secrets: cloud credentials for AWS, GCP, and Azure; Kubernetes secrets; Vault tokens; Git credentials; CI/CD pipeline secrets; SSH keys; browser data; cryptocurrency wallets; password manager data; and local .env configuration files.
Browser Credential Extraction via DebugElevator
A Windows executable named DebugElevator is bundled alongside the PHP payload. DebugElevator extracts browser encryption keys from Chrome, Brave, and Microsoft Edge, enabling offline decryption of saved passwords stored in those browsers. The dual-payload design — PHP for server-side environments and a Windows executable for developer machines — reflects deliberate targeting of both application infrastructure and the developer workstations that have elevated access to production systems, cloud accounts, and code repositories.
Developer machines are particularly high-value targets in supply chain attacks. A single compromised developer workstation can provide credentials that reach production infrastructure, cloud environments, and upstream code repositories simultaneously.
Scope of Exposure and Response
Any PHP or Laravel developer who ran composer install or composer update between approximately 22:32 UTC May 22 and 00:00 UTC May 23, 2026 against any of the four affected packages should treat their machine and any connected infrastructure as potentially compromised. The same applies to organizations whose internal package mirrors cached versions during that window.
Remediation requires removing the malicious package versions, auditing all credentials accessible from affected machines, and rotating any secrets that may have been harvested — including cloud credentials, CI/CD tokens, SSH keys, and browser-stored passwords. Laravel Lang has since restored the legitimate code, but the attack window means any installed version from that period should be treated as suspect.
