Security researchers have identified a significant security breach affecting several Composer packages managed by the Laravel-Lang organization. Hackers successfully inserted malware into these packages by altering all their Git tags, posing a severe threat to applications utilizing these third-party localization libraries.
Details of the Compromised Packages
The targeted packages include laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. These are widely used in Laravel applications for localization purposes. The breach was initiated on May 22, with malicious version tags being published within a 15-minute window. By midnight UTC on May 23, all four packages had been compromised, according to StepSecurity.
Mechanism of the Malicious Attack
The attack did not involve direct modifications to the official repositories. Instead, attackers exploited GitHub’s version tagging system to point tags to commits from a malicious fork. This method allowed the spread of malware across over 700 historical versions of the packages, potentially affecting any application updating or freshly installing them.
The infected tags included a file named src/helpers.php, disguised as a Laravel localization helper. This file identifies the machine’s environment and connects to a command-and-control domain to download a PHP credential stealer, which executes clandestinely.
Consequences and Mitigation Strategies
The implanted malware is designed to extract sensitive data such as cloud service keys, Docker and Kubernetes setups, developer credentials, and more from affected systems. It also targets browser-stored credentials, cryptocurrency wallets, and various configuration files across different operating systems.
Organizations are advised to block the affected packages immediately and consider any systems that utilized them as potentially compromised. Verification of clean package versions and their subsequent installation is crucial. Additionally, it is recommended to rotate any exposed secrets and credentials that may reside on affected hosts or developer environments.
In light of this incident, it underscores the importance of vigilance in software supply chains and the need for robust security measures to protect sensitive data and systems.
