DEV Community

Merradou Abderrahmane
Merradou Abderrahmane

Posted on • Originally published at Medium

Someone Poisoned Laravel's Most Trusted Packages — 233 Versions, 700 Repos

#webdev #laravel #php #security

On May 22, 2026, an attacker spent exactly 15 minutes on a keyboard.

When they were done, 233 versions of widely-used PHP packages had been silently replaced with credential-stealing malware. 700 GitHub repositories were compromised. And every developer who ran a routine composer update that day potentially handed over their AWS keys, SSH keys, database passwords, and crypto wallet files to a stranger on the internet.

No alarm fired. No error was thrown. The official GitHub repositories looked completely clean.

TL;DR

  • What: Supply chain attack on the Laravel-Lang ecosystem — May 22, 2026
  • How: Attacker rewrote every version tag across 3 packages to point at a malicious fork — without touching the official repos' commit history
  • What it stole: Cloud credentials, SSH keys, browser passwords, crypto wallets, CI/CD secrets
  • Who's at risk: Anyone who installed or updated laravel-lang/http-statuses, laravel-lang/actions, or laravel-lang/attributes on or around May 22
  • Action needed: Rotate your credentials now

Are You Affected? Check This First

Run this in your project:

grep -E "laravel-lang/(http-statuses|actions|attributes)" composer.lock
Enter fullscreen mode Exit fullscreen mode

If any of these three packages appear and your dependencies were updated around May 22, 2026 — treat your environment as compromised and rotate everything immediately.

What Happened — The 15-Minute Timeline

Three packages were hit in a coordinated attack:

Time (UTC) Package
23:41 laravel-lang/http-statuses
23:45 laravel-lang/actions
23:56 laravel-lang/attributes

15 minutes. 3 packages. Every version tag. Rewritten.

The Clever Part — Why the Repo Looked Clean

This is what makes this attack different from a typical "bad package on Packagist" incident.

GitHub allows version tags to point to commits in a fork — not just the official repository. The attacker used this to:

  1. Create a malicious fork with credential-stealing code
  2. Rewrite every existing version tag in the official repo to point at their fork's commits
  3. Let Packagist serve the malicious code to anyone running composer update

If you visited the official Laravel-Lang repos on GitHub that day — nothing looked suspicious. Clean commit history. Clean code. The poison was completely hidden inside a fork no one would think to check.

👉 The full breakdown is in the complete article:

Read the complete writeup on Medium →

It covers:

  • The exact mechanism of the autoload.files payload
  • The full list of credentials targeted (AWS, SSH, CI/CD, crypto wallets, browser passwords)
  • Step-by-step recovery instructions
  • The three rules that would have protected you

If this helped you or your team, share it. The faster this reaches the Laravel community, the faster affected developers can protect themselves.

Top comments (0)