Someone Poisoned Laravel's Most Trusted Packages — 233 Versions, 700 Repos

Merradou Abderrahmane — Mon, 25 May 2026 13:31:43 +0000

On May 22, 2026, an attacker spent exactly 15 minutes on a keyboard.

When they were done, 233 versions of widely-used PHP packages had been silently replaced with credential-stealing malware. 700 GitHub repositories were compromised. And every developer who ran a routine composer update that day potentially handed over their AWS keys, SSH keys, database passwords, and crypto wallet files to a stranger on the internet.

No alarm fired. No error was thrown. The official GitHub repositories looked completely clean.

TL;DR

What: Supply chain attack on the Laravel-Lang ecosystem — May 22, 2026
How: Attacker rewrote every version tag across 3 packages to point at a malicious fork — without touching the official repos' commit history
What it stole: Cloud credentials, SSH keys, browser passwords, crypto wallets, CI/CD secrets
Who's at risk: Anyone who installed or updated laravel-lang/http-statuses, laravel-lang/actions, or laravel-lang/attributes on or around May 22
Action needed: Rotate your credentials now

Are You Affected? Check This First

Run this in your project:

grep -E "laravel-lang/(http-statuses|actions|attributes)" composer.lock

If any of these three packages appear and your dependencies were updated around May 22, 2026 — treat your environment as compromised and rotate everything immediately.

What Happened — The 15-Minute Timeline

Three packages were hit in a coordinated attack:

Time (UTC)	Package
23:41	`laravel-lang/http-statuses`
23:45	`laravel-lang/actions`
23:56	`laravel-lang/attributes`

15 minutes. 3 packages. Every version tag. Rewritten.

The Clever Part — Why the Repo Looked Clean

This is what makes this attack different from a typical "bad package on Packagist" incident.

GitHub allows version tags to point to commits in a fork — not just the official repository. The attacker used this to:

Create a malicious fork with credential-stealing code
Rewrite every existing version tag in the official repo to point at their fork's commits
Let Packagist serve the malicious code to anyone running composer update

If you visited the official Laravel-Lang repos on GitHub that day — nothing looked suspicious. Clean commit history. Clean code. The poison was completely hidden inside a fork no one would think to check.

👉 The full breakdown is in the complete article:

Read the complete writeup on Medium →

It covers:

The exact mechanism of the autoload.files payload
The full list of credentials targeted (AWS, SSH, CI/CD, crypto wallets, browser passwords)
Step-by-step recovery instructions
The three rules that would have protected you