A significant cybersecurity breach has been identified, targeting Laravel Livewire applications globally. This attack exploits a severe remote code execution (RCE) vulnerability to extract sensitive credentials from thousands of systems worldwide.
Discovery of the Vulnerability
Security researchers at Imperva first detected suspicious activity on May 24, 2026, when their Cloud Web Application Firewall intercepted unusual deserialization attacks. These attacks were subsequently linked to the active exploitation of a vulnerability identified as CVE-2025-54068.
The vulnerability impacts Laravel Livewire v3 versions up to 3.6.3. It arises from inadequate validation during the framework’s hydration process, where user input is not properly verified before deserialization. This flaw enables unauthorized attackers to inject malicious serialized PHP objects, leading to arbitrary command execution on affected servers.
Analysis of attack patterns revealed the use of PHPGGC gadget chains to craft payloads capable of executing remote shell commands.
Implications for Laravel Livewire Users
In numerous instances, compromised systems were directed to retrieve and execute a harmful Bash script from a command-and-control server. This script, known as “shoc.enz,” is designed specifically to harvest credentials by scouring the file system for .env files that contain crucial application secrets like database credentials and API keys.
Once the script is deployed, it extracts vital information, such as database hostnames, usernames, passwords, and application keys, before staging and compressing this data for exfiltration. To avoid detection, the script erases traces of its activity post-execution.
Scale and Impact of the Breach
Imperva researchers discovered a multi-channel data exfiltration network utilizing an FTP server, Telegram API, and GoFile cloud storage. The FTP server alone stored thousands of stolen files, including over 1,850 complete database dumps. Overall, credentials from 6,167 distinct applications were compromised, affecting sectors such as e-commerce, healthcare, finance, education, and government.
The breach resulted in the theft of over 14,000 valid database passwords, 188 active Stripe payment keys, 381 AWS credentials, and numerous OAuth secrets and SMTP credentials. Many of these credentials were linked to production environments, amplifying the risk of subsequent attacks like financial fraud and account takeovers.
Indicators suggest the attack originates from an Indonesian threat actor, as evidenced by Indonesian-language comments in the malware, infrastructure tied to the Asia/Jakarta timezone, and connections to a related Telegram account. The domain hosting the malicious payload was disguised as a legitimate anti-bot service to further the deception.
Preventive Measures and Recommendations
Security experts emphasize that this large-scale credential theft campaign highlights the critical need to address unpatched vulnerabilities. Organizations using Laravel Livewire are urged to upgrade to version 3.6.4 or newer to mitigate this flaw.
Additional security measures include restricting outbound connections, monitoring for unusual API traffic, and rotating compromised credentials. These steps are crucial to minimize risk and prevent further exploitation.
Stay informed by following us on Google News, LinkedIn, and X for more instant updates.
