Last week, we experienced a security incident that started as a performance issue and turned into a crypto mining investigation. Here's what happened and what you need to know if you're running Livewire in production.
The Initial Signs
Pages were loading slowly, and Livewire components were lagging. Our initial investigation pointed to pending PHP-FPM processes consuming server resources, coinciding with a recent deployment. We killed the processes, and everything seemed back to normal.
Or so we thought.
The Real Problem Emerges
Within hours, the server was slow again. CPU usage spiked to nearly 100% between 1:00 PM and 1:30 PM. This time, deeper investigation revealed something more sinister—a suspicious process running on the server:
apps 376184 547 13.9 4658672 4581484 ? Sl 12:46 268:46 \_ /var/www/apps/website/releases/1768928757/storage/stmept --url pool.supportxmr.com:3333 --user 8556M2fMqE8Dg1U3pERP9rJ64jaa6MMha5SY5ovWQ7XiYjxdKquPQ7Z4afpEeXUtfJVBLGvLncGxtKMugv61S9nFGMHNAFK --pass next --donate-level 0
The site had been compromised. Malicious files had been injected for Monero cryptocurrency mining.
The Malware Arsenal
We discovered multiple malicious files scattered across the application:
In the storage directory:
gd.pyguard.shstmeptwp-admin.php
In the public directory:
339a36afe37df27417e6c26b684845d4.lock- Multiple suspicious PHP files:
4hpce7mz.php,9hb1pmgk.php,klhrqd7x.php,wp-admin.php
The most persistent was the stmept binary—it would reappear within a minute of deletion, even after fresh deployments.
The Week Before
In retrospect, the warning signs were there. A week earlier, other of our content websites had experienced a hack with remote execution file injection. We cleaned it up, and the files didn't return. We only noticed it because attackers had wiped the index.php, leaving the site blank. At the time, we couldn't identify the entry point.
The Investigation
Working with our hosting provider, we tried everything:
- Modified request validators in the code
- Reviewed all installed packages
- Used AI agents to search for backdoors
- Killed processes and deployed fresh releases
Nothing worked. The malware kept coming back.
Then, a Google search led us to this article, which described an identical scenario.
The Root Cause: CVE-2025-54068
The culprit was CVE-2025-54068, a remote code execution vulnerability disclosed in April 2025 affecting Livewire versions prior to 4.0. This vulnerability allows attackers to run arbitrary commands on your server simply by sending malformed requests.
We were running Livewire 3.5 across multiple projects.
All were vulnerable.
The Solution
We updated all projects to Livewire 4.0 via composer update. Since the update, the malware has not returned, and server performance has been stable.
Lessons Learned
Update immediately: If you're running any version of Livewire older than 4.0, update now. This is a critical remote code execution vulnerability.
Monitor for unusual processes: Regular server monitoring could have caught the crypto mining earlier.
Don't dismiss related incidents: The previous week's hack was a warning sign we didn't fully investigate.
Performance issues can be security issues: What started as a "slow website" complaint was actually an active breach.
Action Items
If you're running Livewire in production:
- Check your Livewire version:
composer show livewire/livewire - If you're on any version before 4.0, update immediately
- Check for suspicious files in your storage and public directories
- Review server processes for unusual CPU consumption
Originally published on my blog.
If you found this helpful, please share it with other Livewire users. This vulnerability is serious and widespread awareness is crucial.
Top comments (0)