Summary
A supply chain attack on Laravel-Lang involved rewriting all git tags across four Composer packages to inject a secret-stealing payload that triggers during the PHP autoload process.
Take Action:
If your project uses any Laravel-Lang Composer packages (laravel-lang/lang, http-statuses, actions, or attributes), do not run composer update and check whether your lockfile points to a tag pulled on or after May 22, 2026. If you did, assume every secret reachable from that build environment (CI tokens, cloud keys, GitHub PATs, deploy keys, database credentials) is stolen and rotate them all immediately. Block the domain flipboxstudio.info at your DNS and firewall, and only restore builds by pinning to a pre-attack commit SHA you've verified against a local clone.
Read the full article on BeyondMachines
This article was originally published on BeyondMachines
Top comments (0)