A significant supply chain attack has emerged within the PHP developer community through Packagist, the primary repository for PHP and Laravel projects. This attack involves malicious packages masquerading as legitimate Laravel utilities, effectively deploying a remote access trojan (RAT) that grants attackers covert and persistent control over affected systems.
Deceptive Packages and Their Impact
The attacker, operating under the alias nhattuanbl, released several packages that concealed a fully operational RAT within what appeared to be standard Laravel utility libraries. This allowed the threat actor to gain silent and continuous access to any system that installed these packages. The strategy deployed was simple yet effective: blend in with authentic packages. Between June and December 2024, six packages were introduced, with three being legitimate to build credibility. However, the packages nhattuanbl/lara-helper and nhattuanbl/simple-queue contained identical malicious payloads hidden in a file named src/helper.php.
Technical Details and Threat Analysis
Despite the absence of direct malicious code, the package nhattuanbl/lara-swagger included lara-helper as a mandatory Composer dependency, thereby acting as a clean façade for the malicious code. Analysts from Socket.dev identified this Trojan across the infected Packagist packages. Once installed, the payload communicates with a command-and-control (C2) server at helper[.]leuleu[.]net on port 2096, transmitting a full system profile and awaiting further instructions, thus providing the attacker with complete remote control over compromised hosts.
The extent of the campaign’s impact is considerable. Any Laravel application incorporating these packages harbors a persistent RAT operating within the same process as the web application, accessing critical environment variables, database credentials, and API keys stored in .env files. The cross-platform nature of the threat means it affects Windows, macOS, and Linux systems uniformly.
Persistent Threat and Obfuscation Techniques
A notable concern is the RAT’s persistent nature; even if the C2 server becomes unreachable, the RAT attempts to reconnect every 15 seconds, allowing attackers to redirect it without altering the payload. The infection mechanism is meticulously designed for stealth. The helper.php file, 27,340 bytes in size, is delivered as a single line, complicating readability. The payload employs multiple obfuscation techniques: control flow fragmentation, string literal encoding, and randomization of variable and function names, all contributing to the challenge of detection.
The activation mechanism varies with the infected package. In lara-helper, the package registers a Laravel service provider, loading helper.php at every application start. In simple-queue, the malicious code activates when PHP’s autoloader resolves the class, regardless of how it’s referenced. Once triggered, the RAT spawns a background process, ensuring its presence remains undetected. All communications with the C2 server are encrypted using AES-128-CTR, with a hardcoded key embedded in the payload.
Mitigation and Security Recommendations
Organizations that have deployed nhattuanbl/lara-helper, nhattuanbl/simple-queue, or nhattuanbl/lara-swagger should consider their environments fully compromised. It is imperative to rotate all sensitive credentials, including database passwords and API keys, immediately. The packages and the helper.php file must be removed, and permissions audits, especially for files with chmod 0777, should be conducted. The lock file at {sys_get_temp_dir}/wvIjjnDMRaomchPprDBzzVSpzh61RCar.lock should also be deleted. Monitoring outbound traffic to helper[.]leuleu[.]net:2096 and auditing transitive dependencies are crucial steps, along with avoiding dev-master constraints in production to maintain version control integrity.
